Randy McAnally
2015-06-19 15:26:43 UTC
Hi all, long time user/lurker here.
Similar to the 'unable to ban zip files':
http://comments.gmane.org/gmane.mail.virus.maiamailguard/16241
Except in this case I am not banning Zips, but *certain* ones appear to
be evading virus scanning completely.
I received a malicious zip file and proceeded to test scan it on the
command line:
[***@mx1 ~]# file +14397327408-3688154-167160-479.zip
+14397327408-3688154-167160-479.zip: Zip archive data, at least v2.0 to
extract
[***@mx1 ~]# clamscan +14397327408-3688154-167160-479.zip -i
+14397327408-3688154-167160-479.zip:
Sanesecurity.Foxhole.Zip_exe.UNOFFICIAL FOUND
Size is appropriate (~25k) as well -- and since I also use Maia as a
smarthost, I tested maia by forwarding to an external email address
(that I control) and it went right on thru:
Received: from localhost (localhost.localdomain [127.0.0.1])
by mx1.mailstrainer.com (Postfix) with ESMTP id C7502FD23D
for <***@xxx.xxx>; Fri, 19 Jun 2015 11:08:42 -0400 (EDT)
Received: from www2.fastserv.com (www2.fast-serv.com [208.85.240.30])
by mx1.mailstrainer.com (Postfix) with ESMTP id 2AB4EFD219
for <***@xxx.xxx>; Fri, 19 Jun 2015 11:08:39 -0400 (EDT)
Received: from mbox by www2.fastserv.com with local (Exim 4.85)
(envelope-from <***@fastserv.com>)
id 1Z5xuJ-0005Mq-2x
for ***@xxx.xxx; Fri, 19 Jun 2015 11:08:39 -0400
To: ***@xxx.xxx
Subject: Fwd: You Have a New Fax Message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_631f3d81877b98878f0d42cc021965cb"
Date: Fri, 19 Jun 2015 08:08:39 -0700
From: Randy McAnally <***@fast-serv.com>
Reply-To: ***@fast-serv.com
Mail-Reply-To: ***@fastserv.com
Message-ID: <***@mailbox.fastserv.com>
X-Sender: ***@fastserv.com
User-Agent: Roundcube Webmail/1.0.2
X-Virus-Scanned: amavisd-maia at mx1.mailstrainer.com
X-Spam-Status: No, hits=-0.047 tagged_above=-999 required=4
tests=AWL=-0.847,
BAYES_50=0.8
X-Spam-Level:
Any ideas on how to troubleshoot this?
Similar to the 'unable to ban zip files':
http://comments.gmane.org/gmane.mail.virus.maiamailguard/16241
Except in this case I am not banning Zips, but *certain* ones appear to
be evading virus scanning completely.
I received a malicious zip file and proceeded to test scan it on the
command line:
[***@mx1 ~]# file +14397327408-3688154-167160-479.zip
+14397327408-3688154-167160-479.zip: Zip archive data, at least v2.0 to
extract
[***@mx1 ~]# clamscan +14397327408-3688154-167160-479.zip -i
+14397327408-3688154-167160-479.zip:
Sanesecurity.Foxhole.Zip_exe.UNOFFICIAL FOUND
Size is appropriate (~25k) as well -- and since I also use Maia as a
smarthost, I tested maia by forwarding to an external email address
(that I control) and it went right on thru:
Received: from localhost (localhost.localdomain [127.0.0.1])
by mx1.mailstrainer.com (Postfix) with ESMTP id C7502FD23D
for <***@xxx.xxx>; Fri, 19 Jun 2015 11:08:42 -0400 (EDT)
Received: from www2.fastserv.com (www2.fast-serv.com [208.85.240.30])
by mx1.mailstrainer.com (Postfix) with ESMTP id 2AB4EFD219
for <***@xxx.xxx>; Fri, 19 Jun 2015 11:08:39 -0400 (EDT)
Received: from mbox by www2.fastserv.com with local (Exim 4.85)
(envelope-from <***@fastserv.com>)
id 1Z5xuJ-0005Mq-2x
for ***@xxx.xxx; Fri, 19 Jun 2015 11:08:39 -0400
To: ***@xxx.xxx
Subject: Fwd: You Have a New Fax Message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_631f3d81877b98878f0d42cc021965cb"
Date: Fri, 19 Jun 2015 08:08:39 -0700
From: Randy McAnally <***@fast-serv.com>
Reply-To: ***@fast-serv.com
Mail-Reply-To: ***@fastserv.com
Message-ID: <***@mailbox.fastserv.com>
X-Sender: ***@fastserv.com
User-Agent: Roundcube Webmail/1.0.2
X-Virus-Scanned: amavisd-maia at mx1.mailstrainer.com
X-Spam-Status: No, hits=-0.047 tagged_above=-999 required=4
tests=AWL=-0.847,
BAYES_50=0.8
X-Spam-Level:
Any ideas on how to troubleshoot this?
--
Randy McAnally
Randy McAnally