Print Page | Close Window

Possible virus loop hole?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
Printed Date: 21 October 2017 at 7:16pm

Topic: Possible virus loop hole?
Posted By: lyndonje
Subject: Possible virus loop hole?
Date Posted: 10 February 2009 at 7:47am

A customer has contacted me to say one of the users seems to have received an email containing a virus. I asked them to send me a copy of the email firstly to confirm it does actually contain a vuirus. After not receiving the email, and in checking the logs I found that the email they tried to sent to me was reject because it did contain a virus.

Having looked at the headers of the original email, which was only sent a few hours prior, I can see that the email did pass through our SF server. On checking the logs I can see that the TO and FROM address both matched, but were autowhitelisted, which seems to taken priority over the fact SF detected a virus in the email? Log snipped below, using v.

02/10/09 06:10:33:439 -- (10428) Connection from:  -  Originating country : Cyprus
02/10/09 06:10:34:251 -- (10428) Received MAIL FROM: <> SIZE=53856
02/10/09 06:10:34:439 -- (10428) Received RCPT TO:
02/10/09 06:10:34:485 -- (10428) Resolving -
02/10/09 06:10:34:485 -- (10428) - Mail From and Mail To are equal -
02/10/09 06:10:34:485 -- (10428) - Mail from: To: will be rejected
02/10/09 06:10:34:485 -- (10428) Bypassed all rules for: from ( AutoWhiteList Force Delivery)
02/10/09 06:10:36:673 -- (10428) Bypassed all rules for: from
02/10/09 06:10:36:704 -- (10428) Start virus scan
02/10/09 06:10:36:720 -- (10428) EMail from to infected with the virus W32/Bagle.QS
02/10/09 06:10:36:720 -- (10428) Starting queueing procedures
02/10/09 06:10:36:720 -- (10428) EMail from to was queued. Size: 52 KB, 53248 bytes
02/10/09 06:10:36:735 -- (10428) Starting bayesian procedures
02/10/09 06:10:36:767 -- (2728) Sending email from to --
02/10/09 06:10:36:782 -- (10488) Time to add Msg to Bayes corpus:0
02/10/09 06:10:36:970 -- (10428) Disconnect
02/10/09 06:10:38:032 -- (2728) EMail from to --  was forwarded to a.b.c.d:25

Posted By: LogSat
Date Posted: 10 February 2009 at 4:11pm
Lyndon, you are absolutely correct here unfortunately. We were able to replicate this, it seems as if whitelisted individuals are treated incorrectly, and emails with viruses are incorrectly whitelisted as well.

We'll have a fix for this ASAP, hopefully within the next 12 hours or less.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: LogSat
Date Posted: 10 February 2009 at 4:59pm
Due to the urgency of the issue (and the fact that this bug is caused by a missing single line of code), we've just pre-released the fastest bug fix in our history, adding it to the current enhancements that were in the works. The updated build is and it is available right now in the registered user area of our website.

The bug caused users who where whitelisted either because they were added in the "Whitelisted Emails TO" or because of entries in the AutoWhiteList-forcedelivery filter to receive unfiltered infected emails.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Print Page | Close Window