The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The mail with which the virus was attached reaches a receiver.

Discussion in 'E-mail Discussions' started by PondRicefied, Dec 13, 2004.

  1. PondRicefied

    PondRicefied Well-Known Member

    Joined:
    Dec 13, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Please advise if you please.

    I tried construction of a mail server with the following components.
    OS: fedora core 2
    INSTALL SOFT: Exim+Exiscan+Clamav+Spamassassin
    exim-4.43-40_cpanel_smtpctl_av_rewrite_mm2_mmmtrap_exiscan_md5pass
    RvSkin (http://www.rvskin.com/index.php?page=public/antispam)
    MailScanner(http://www.webumake.com/free/mailscanner.htm)

    Question...

    1. Why will it be sent without SMTP authentication when e-mail is sent to a local user(same server)?
    (SMTP authentication works at the time of the delivery to external.)

    case. test@{mydomain} -> test@{mydomain}. Mail client is SMTP AUTH turn off.
    case's log:
    Dec 13 23:16:04 sv1 clamd[7247]: No stats for Database check - forcing reload
    Dec 13 23:16:04 sv1 spamd[7301]: connection from localhost [127.0.0.1] at port 33139
    Dec 13 23:16:04 sv1 spamd[7301]: info: setuid to mailnull succeeded
    Dec 13 23:16:04 sv1 spamd[7301]: checking message <JV20041213231705.14833000@{myhostname}> for mailnull:47.
    Dec 13 23:16:04 sv1 clamd[7247]: Reading databases from /var/lib/clamav
    Dec 13 23:16:04 sv1 clamd[7247]: Database correctly reloaded (28342 viruses)
    Dec 13 23:16:08 sv1 spamd[7301]: clean message (2.0/12.0) for mailnull:47 in 4.2 seconds, 549 bytes.
    Dec 13 23:16:08 sv1 spamd[7301]: result: . 1 - NO_REAL_NAME,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=4.2,size=549,mid=<JV20041213231705.14833000@{myhostname}>,autolearn=no
    &
    2004-12-13 23:16:08 1Cdqzb-000214-VK <= root@{hostname} H={provider_host} (root) [{provider_ip}] P=smtp S=549 id=JV20041213231705.14833000@{hostname}
    2004-12-13 23:16:08 1Cdqzb-000214-VK => test <test@{myhostname}> R=virtual_user T=virtual_userdelivery
    2004-12-13 23:16:08 1Cdqzb-000214-VK Completed



    2. When sending e-mail, Clamd detects a virus, but why is a VIRUS DELIVERED even TO a RECIEVER as it is?

    case1. test@{mydomain} with VIRUS->provider's my mail address.
    case1's log.
    Dec 13 23:25:41 sv1 clamd[7247]: /var/spool/exim/scan/1Cdr8v-00022Z-NK/1Cdr8v-00022Z-NK-00000.zip: Eicar-Test-Signature FOUND
    Dec 13 23:25:41 sv1 spamd[7302]: connection from localhost [127.0.0.1] at port 33151
    Dec 13 23:25:41 sv1 spamd[7302]: info: setuid to mailnull succeeded
    Dec 13 23:25:41 sv1 spamd[7302]: checking message <6.1.0.6.2.20041213232632.0470f4f8@{myhostname}> for mailnull:47.
    Dec 13 23:25:45 sv1 spamd[7302]: clean message (1.8/12.0) for mailnull:47 in 3.2 seconds, 1040 bytes.
    Dec 13 23:25:45 sv1 spamd[7302]: result: . 1 - FORGED_RCVD_HELO,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=3.2,size=1040,mid=<6.1.0.6.2.20041213232632.0470f4f8@{myhostname}>,autolearn=no
    &
    2004-12-13 23:25:45 1Cdr8v-00022Z-NK <= test@{myhostname} H={provider_host} (xxxxxxx) [{provider_ip}] P=esmtpa A=fixed_login:test+{mydomain} S=1093 id=6.1.0.6.2.20041213232632.0470f4f8@{myhostname}
    2004-12-13 23:25:45 1Cdr8v-00022Z-NK => {providers_my_mail_address} R=lookuphost T=remote_smtp H={provider_host} [{provider_ip}]
    2004-12-13 23:25:45 1Cdr8v-00022Z-NK Completed

    case2.
    case2's log.
    Dec 13 23:30:50 sv1 clamd[7247]: SelfCheck: Database status OK.
    Dec 13 23:30:50 sv1 clamd[7247]: /var/spool/exim/scan/1CdrDu-00023g-8K/1CdrDu-00023g-8K.eml: Eicar-Test-Signature FOUND
    Dec 13 23:30:50 sv1 spamd[7303]: connection from localhost [127.0.0.1] at port 33163
    Dec 13 23:30:50 sv1 spamd[7303]: info: setuid to mailnull succeeded
    Dec 13 23:30:50 sv1 spamd[7303]: checking message <JW20041213233153.15721484@{myhostname}> for mailnull:47.
    Dec 13 23:30:54 sv1 spamd[7303]: clean message (2.0/12.0) for mailnull:47 in 4.2 seconds, 1233 bytes.
    Dec 13 23:30:54 sv1 spamd[7303]: result: . 1 - NO_REAL_NAME,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=4.2,size=1233,mid=<JW20041213233153.15721484@{myhostname}>,autolearn=no
    &
    2004-12-13 23:30:54 1CdrDu-00023g-8K <= root@{myhostname} H={provider_host} (xxxxxxx) [{provider_ip}] P=smtp S=1286 id=JW20041213233153.15721484@{myhostname}
    2004-12-13 23:30:54 1CdrDu-00023g-8K => test <test@{mydomain}> R=virtual_user T=virtual_userdelivery
    2004-12-13 23:30:54 1CdrDu-00023g-8K Completed



    ---EXIM.CONF------
    FIRST BOX:------------------------------------------------------------------------------------
    I deleted the content of a setting.
    --------------------------------------------------------------------------------------------

    FIRST BOX:-------------------------------------------------------------------------------
    ---TOP-----------------------------------------------------------------------------------
    I deleted the content of a setting.

    ---CENTER-----------------------------------------------------------------------------------
    I deleted the content of a setting.
    ---------------- to next -----------------
     
    #1 PondRicefied, Dec 13, 2004
    Last edited: Dec 13, 2004
  2. PondRicefied

    PondRicefied Well-Known Member

    Joined:
    Dec 13, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    -----Continuation ---------------
    I deleted the content of a setting.

    ---BOTTOM-----------------------------------------------------------------------------
    none
    --------------------------------------------------------------------------------------------
    Other BOX is none.


    Best Regards.
     
    #2 PondRicefied, Dec 13, 2004
    Last edited: Dec 13, 2004
  3. PondRicefied

    PondRicefied Well-Known Member

    Joined:
    Dec 13, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Please let me know the default content of the antivirus.exim file if you please.

    It is my mistake.
    /etc/antivirus.exim file became empty.
    Please let me know the default content of the antivirus.exim file if you please.

    Best Regards.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    1. That's because the email is being sent to a local user - the SMTP server will always allow delivery to a local user without authentication, otherwise no-one from off-server would ever be able to send emails to your server ;)

    2. No idea, but if it is the antivirus.exim file (which I don't use, I prefer clamavmodule through MailScanner) then you can always get a new one by doing:

    /scripts/exim4
     
  5. PondRicefied

    PondRicefied Well-Known Member

    Joined:
    Dec 13, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Thank you Jonathan! :p

    > /scripts/exim4
    It was O.K., when the file revived and "Discard..." was checked by WHM.

    > 1. That's because the email is being sent to a local user - the SMTP server will always allow delivery to a local user without authentication, otherwise no-one from off-server would ever be able to send emails to your server
    To be sure. Well. what should I do about the SPAM control to a different domain user within the same server?

    I see. :p

    Thank you.

    By the way, how measures are you taking about the SPAM control to a different domain user within the same server?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You can't. Well, you might be able to, but not necessarily easily. I would suggest using a rubber hammer and hitting them repeatedly over the head :)

    At the end of the day, if you cannot trust the users on your server, then they could be sending their spam off-server as well as to local users anyway.
     
Loading...

Share This Page