[Esd-l] RE: Odd behavior with the new outbreak - Another Followup

Chris Rothbauer chris.rothbauer at intagio.com
Fri Aug 22 10:49:40 PDT 2003 

One more note to hopefully help. I'm now subscribed to several of the internal distribution lists to catch more of these 'backscatter' messages.

One just came in that specifically stated: 

A Virus has been detected in a mail message recently sent out by you.  Please contact your system administrator to correct the problem.  Your message has been quarantined and will not be delivered.

Attached was our own sanitizer security notice, replacing the infected attachment (a .pif). So this particular AV gateway sent the virus back and it WAS caught by sanitizer.

Might my original problem be that the notices are NDR's and are then unchecked by procmail? If so, it may be the location within the sendmail.cf.  Here is a snippet, and some of the surrounding macros. Should this be in a different location?


###################################################################
###  Ruleset 98 -- local part of ruleset zero (can be null)     ###
###################################################################

SParseLocal=98

# addresses sent to foo at host.REDIRECT will give a 551 error code
R$* < @ $+ .REDIRECT. >         $: $1 < @ $2 . REDIRECT . > < ${opMode} >
R$* < @ $+ .REDIRECT. > <i>     $: $1 < @ $2 . REDIRECT. >
R$* < @ $+ .REDIRECT. > < $- >  $#error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>


R$*<@$=R>$*     $#procmail $@/etc/procmail/filt.rc $:$1<@$2.procmail.>
R$*<@$=R.>$*    $#procmail $@/etc/procmail/filt.rc $:$1<@$2.procmail.>
R$*<@$*.procmail.>$*            $1<@$2.>$3

######################*****##############
###   PROCMAIL Mailer specification   ###
##################*****##################

#####  $Id: procmail.m4,v 8.22 2001/11/12 23:11:34 ca Exp $  #####

Mprocmail,      P=/usr/bin/procmail, F=DFMSPhnu9, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP/HdrFromSMTP,
                T=DNS/RFC822/X-Unix,
                A=procmail -Y -m $h $f $u


-----Original Message-----
From: Chris Rothbauer 
Sent: Friday, August 22, 2003 11:57 AM
To: Chris Rothbauer; esd-l at spconnect.com
Subject: [Esd-l] RE: Odd behavior with the new outbreak - Followup


I was able to replicate it by doing the following....

I retrieved an infected file out of quarantine, sent an email to a recipient at the complaining gateway, via my own smtp relay. So I am playing the role of "Bob" playing the role of me. The path of the message is from my relay, to the complaining server, then back into my filters to exchange. there are absolutely no tags (X-Spam-Status, etc.) in the incoming portion of the header. I then popped it down to get all the headers in tact. 

On going through this for email addresses/IPs/domains, I realized it's just a standard NDR sending me the original email as an attachment so odds are there aren't any funky encodings going on. Notice that there are no spamassassin or sanitizer tags in the header at my receiving portion. This message id (yadayadayada at HERB_BDC) is in my logs, however.

Here you go (altered to protect the innocent) .....

Received: by myserver.mydomain.com 
	id <01C368CB.3AD9703C at myserver.mydomain.com>; Fri, 22 Aug 2003 11:34:17 -0500
MIME-Version: 1.0
Content-Type: multipart/report;
	report-type=delivery-status;
	boundary="----_=_NextPart_001_01C368CB.3AD9703C"
content-class: urn:content-classes:dsn
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Subject: Undeliverable: your server is sending me viruses
Date: Fri, 22 Aug 2003 11:34:17 -0500
Message-ID: <094FB038FF88D611B5A800A0CCE034D7346283 at HERB_BDC>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
Thread-Topic: your server is sending me viruses
Thread-Index: AcNozXVfxrcq6znLSxyUNvWPdNW/JgAAjqHg
From: "System Administrator" <postmaster at mydomain.com>
To: "Chris Rothbauer" <me at mydomain.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C368CB.3AD9703C
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Your message

  To:      him at hisdomain.com
  Subject: your server is sending me viruses
  Sent:    Fri, 22 Aug 2003 11:28:19 -0500

did not reach the following recipient(s):

him at hisdomain.com on Fri, 22 Aug 2003 11:50:14 -0500
    The e-mail address could not be found.  Perhaps the recipient moved
to a different e-mail organization, or there was a mistake in the
address.  Check the address and try again.The MTS-ID of the original
message is:c=3DUS;a=3D ;p=3Dhisdomain;l=3DHERB_BDC0308221650RLHXBG0A
    MSEXCH:IMS:hisdomain:LAB:HERB_BDC 0 (000C05A6) Unknown Recipient


------_=_NextPart_001_01C368CB.3AD9703C
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit

Original-Envelope-ID: c=US;a= ;p=hisdomain;l=HERB_BDC0308221650RLHXBG0A
Reporting-MTA: dns; myserver.mydomain.com

Final-Recipient: RFC822; him at hisdomain.com
Action: failed
Status: 5.1.2
X-Supplementary-Info: MSEXCH:IMS:hisdomain:LAB:HERB_BDC 0 (000C05A6) Unknown Recipient
X-Display-Name: him at hisdomain.com

------_=_NextPart_001_01C368CB.3AD9703C
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Received:  from myrelay.myhomedomain.net (myrelay.myisp.net [x.x.x.x]) by herb_bdc.hisdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id RLHXBG0A; Fri, 22 Aug 2003 12:50:06 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----_=_NextPart_002_01C368CD.7068B300"
Received:  from mydesktop ([x.x.x.x]) by myrelay.myhomedomain.net (8.12.8/8.12.5) with SMTP id h7MGkDCq003422 for <him at hisdomain.com>; Fri, 22 Aug 2003 11:46:14 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
Subject: your server is sending me viruses
Date: Fri, 22 Aug 2003 11:28:19 -0500
Message-ID: <000d01c368ca$68aa9c80$470119ac at stitch>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
Thread-Topic: your server is sending me viruses
Thread-Index: AcNozXVfxrcq6znLSxyUNvWPdNW/Jg==
From: "Chris Rothbauer" <me at mydomain.com>
To: <him at hisdomain.com>
Reply-To: "Chris Rothbauer" <me at mydomain.com>

This is a multi-part message in MIME format.

------_=_NextPart_002_01C368CD.7068B300
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<DEFANGED_META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">


<DEFANGED_META content=3D"MSHTML 6.00.2800.1226" name=3DGENERATOR>
 <!-- <DEFANGED_STYLE> --> </DEFANGED_STYLE>
</HEAD>
<BODY bgColor=3D#d8d0c8>
<DIV><FONT face=3DArial size=3D2>as attachments in autoreplies. Please =
turn this=20
feature off.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>This is the file it keeps sending me. I =
pulled it=20
out of quarantine.</FONT></DIV></BODY></HTML>

------_=_NextPart_002_01C368CD.7068B300
Content-Type: text/plain;
	name="Quarantined Attachment.txt"
Content-Transfer-Encoding: base64
Content-Description: Quarantined Attachment Report
Content-Disposition: attachment;
	filename="Quarantined Attachment.txt"

WW91ciBhdHRhY2htZW50ICJkZXRhaWxzLnBpZiIgY29udGFpbmVkIHZpcnVzOg0KICAgICAgICAg
IlczMi5Tb2JpZy5GQG1tIi4NCg0KSXQgd2FzIHF1YXJhbnRpbmVkIGFuZCByZXBsYWNlZCB3aXRo
IHRoaXMgdGV4dCBmaWxlLg0KDQpJRDpDSDMtRVgwMTo6U1lRYzg0Y2MyZTg=

------_=_NextPart_002_01C368CD.7068B300--

------_=_NextPart_001_01C368CB.3AD9703C--

-----Original Message-----
From: Chris Rothbauer 
Sent: Friday, August 22, 2003 11:30 AM
To: 'esd-l at spconnect.com'
Subject: Odd behavior with the new outbreak



I've been going through this for the past two days and just can't find enough info to come to a course of action. Maybe someone can help. 

Here is my setup:
We run MS Exchange but SMTP isn't publicly available (blocked at firewall). On that server we run Norton AV for Exchange. At the border, we run sendmail 8.12.9 with procmail invoking spamassassin and sanitizer from within sendmail.cf (sendmail invokes procmail, which in turn runs the filters). All deliveries are then made, AFTER procmail completes, to Exchange. It's been working great until just now. Decisions, to filter, are based on the relay table.

In short, no email should be getting to exchange without passing through procmail at one of our border gateways (there are two).

For the past few days, we've been getting 'you sent a virus' messages from mailserver-virus products. For some reason, some of these emails contain the actual original (still infected) email as an attachment. So we have 1) Bob in Timbuktu sends the virus as me, then 2) I actually get the virus, as an attachment, in the original receiving gateway's virus auto-reply. How screwed is that?

Anyway, these infected attachments are being caught, not by sanitizer, but by the AV running on exchange. When I read the header info, it looks like it comes directly from exchange and the original headers have already been altered by exchange (thank you MS).

In the sendmail and procmail logs, I actually see the message enter the gateway, be rewritten with the .procmail tag for processing, have it's MIME Attachment Headers defanged, and then passed on, still in tact. I'm using the message ID's from the complaining gateway to track these through sendmail and procmail.

As of Wednesday morning, we had already logged over 1000 stripped attachments so I know sanitizer is still working (really well under load, I must add). The logs are now too big to search quickly so I stopped looking for stats. Security notices are still being inserted in place of dangerous materials though.

What can I do to try and collect more info?
Or better yet, has anyone seen this and dealt with it already? Catching it actually ON our corporate mail server is just a bit too close to home. I really want to get this one fixed.

Let me know, and thanks!

C
_______________________________________________
Esd-l mailing list
Esd-l at spconnect.com
http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list