[Esd-l] Odd behavior with the new outbreak
chris.rothbauer at intagio.com
Fri Aug 22 09:31:54 PDT 2003
I've been going through this for the past two days and just can't find enough info to come to a course of action. Maybe someone can help.
Here is my setup:
We run MS Exchange but SMTP isn't publicly available (blocked at firewall). On that server we run Norton AV for Exchange. At the border, we run sendmail 8.12.9 with procmail invoking spamassassin and sanitizer from within sendmail.cf (sendmail invokes procmail, which in turn runs the filters). All deliveries are then made, AFTER procmail completes, to Exchange. It's been working great until just now. Decisions, to filter, are based on the relay table.
In short, no email should be getting to exchange without passing through procmail at one of our border gateways (there are two).
For the past few days, we've been getting 'you sent a virus' messages from mailserver-virus products. For some reason, some of these emails contain the actual original (still infected) email as an attachment. So we have 1) Bob in Timbuktu sends the virus as me, then 2) I actually get the virus, as an attachment, in the original receiving gateway's virus auto-reply. How screwed is that?
Anyway, these infected attachments are being caught, not by sanitizer, but by the AV running on exchange. When I read the header info, it looks like it comes directly from exchange and the original headers have already been altered by exchange (thank you MS).
In the sendmail and procmail logs, I actually see the message enter the gateway, be rewritten with the .procmail tag for processing, have it's MIME Attachment Headers defanged, and then passed on, still in tact. I'm using the message ID's from the complaining gateway to track these through sendmail and procmail.
As of Wednesday morning, we had already logged over 1000 stripped attachments so I know sanitizer is still working (really well under load, I must add). The logs are now too big to search quickly so I stopped looking for stats. Security notices are still being inserted in place of dangerous materials though.
What can I do to try and collect more info?
Or better yet, has anyone seen this and dealt with it already? Catching it actually ON our corporate mail server is just a bit too close to home. I really want to get this one fixed.
Let me know, and thanks!
More information about the esd-l