SMTP/Pop3 Proxy Virus protection too strict. Major mail bug.

I wasn't getting an e-mail from a client. So I checked the Proxy Content Manager and there are a LARGE number of e-mails (300 +) and a lot of them are classified:

This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.

I have an Extension filter enabled on the Pop3 as well as virus protection but the extension filter is simply for harmful extensions. After looking at the content manager they all seem to be the same e-mail... It’s a .pdf from a trusted person (I know him) they also seem to repeat every few minutes. See sample below.

2002-12-17-14-12-46-23237-1 pop3 2002-12-17 14:34
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-58-21217-1 pop3 2002-12-17 14:27
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-59-20602-1 pop3 2002-12-17 14:25
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-04-18838-1 pop3 2002-12-17 14:22
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-04-17914-1 pop3 2002-12-17 14:18
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-59-17617-1 pop3 2002-12-17 14:17
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-57-17316-1 pop3 2002-12-17 14:16
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-56-16983-1 pop3 2002-12-17 14:15
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-01-15215-1 pop3 2002-12-17 14:10
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-59-14928-1 pop3 2002-12-17 14:08
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-56-14010-1 pop3 2002-12-17 14:05
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-49-11308-1 pop3 2002-12-17 13:56
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-10975-1 pop3 2002-12-17 13:55
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-10346-1 pop3 2002-12-17 13:53
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-48-9145-1 pop3 2002-12-17 13:49
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-8850-1 pop3 2002-12-17 13:48
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-46-7925-1 pop3 2002-12-17 13:45
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-45-7638-1 pop3 2002-12-17 13:44
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-44-7343-1 pop3 2002-12-17 13:43
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-44-6769-1 pop3 2002-12-17 13:41
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-51-5601-1 pop3 2002-12-17 13:37
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-4077-1 pop3 2002-12-17 13:32
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-45-3166-1 pop3 2002-12-17 13:29
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-44-2867-1 pop3 2002-12-17 13:28
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-38-1347-1 pop3 2002-12-17 13:23
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-39-32593-1 pop3 2002-12-17 13:21
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-38-32260-1 pop3 2002-12-17 13:20
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-36-31370-1 pop3 2002-12-17 13:17
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-08-30833-1 pop3 2002-12-17 13:16
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-51-29952-1 pop3 2002-12-17 13:12
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-49-29657-1 pop3 2002-12-17 13:11
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-48-29310-1 pop3 2002-12-17 13:10
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-46-29023-1 pop3 2002-12-17 13:09
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-45-28723-1 pop3 2002-12-17 13:08

Also found these in the Pop3 logs.

Pop3 logs...

Dec 17 00:59:51 (none) pop3vscan[28580]: Session done (Critial abort). Mails: 0 Bytes: 0
Dec 17 00:59:51 (none) pop3vscan[571]: Attention: child with pid 28580 died with abnormal termsignal (11)! This is probably a bug. Please report to the author. numprocs is now 0
Dec 17 01:01:18 (none) pop3vscan[29032]: Connection from 68.52.XXX.XXX:1176

Dec 17 01:10:23 (none) pop3vscan[31725]:  pointer: 3221224284
Dec 17 01:10:23 (none) pop3vscan[31725]: We can't say if it is a virus! So we have to give the client the mail! You should check your configuration/system
Dec 17 01:10:28 (none) pop3vscan[31725]: Session done (Clean Exit). Mails: 1 Bytes: 127330

Also noted that the odd graphic bug were if I try to view a livelog or something it pops open the window but will not display the content, this happens when I'm displaying 10 items on the Proxy Content Manager however if I change the view to 200, I can view about 1/3 of them and the rest keep the same bug. It seems to be random on which ones it will display.

Let me know what you guys think! Thanks.

Benjamin

Parents

0 Marcel_01 over 23 years ago

that sounds very interesting.. is there a way to get the pdf file? (if it's not confidential, please mail it to mgehrlein@astaro.com, thx!)

did just one mail create that logs?

cheers
Marcel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanielC over 22 years ago in reply to Marcel_01

I have exactly the same, even when there is no attachment!
It seems to be the content filtering.
---------------
This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.

------
Subject: test 1
Date: Mon, 10 Feb 2003 09:11:35 +0100
Organization: VUB ETRO
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0011_01C2D0E4.696B5D40"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *18i92Q-0000Dd-00*zXFN1Xtb2xE*
X-Virus-Scanner: POP3VScan Version 0.4 by

This is a multi-part message in MIME format.

------=_NextPart_000_0011_01C2D0E4.696B5D40
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

------=_NextPart_000_0011_01C2D0E4.696B5D40
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Message

------=_NextPart_000_0011_01C2D0E4.696B5D40--
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel_01 over 22 years ago in reply to DanielC

you should have received an email from the pop3 proxy telling you why it has been intercepted, please post this as well...

/marcel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanielC over 22 years ago in reply to Marcel_01

It's a mail on an mailserver outside our domain.
When I try to read the mail via POP3, the message is stuck in the queue telling me the above.
So I do not receive any more messages than the one I included.

I had to disable the POP3 proxy again because all my mails ended up in the queue as being "Bad".

So any help would be appreciated.

Thanks in advance

Daniel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 DanielC over 22 years ago in reply to Marcel_01

It's a mail on an mailserver outside our domain.
When I try to read the mail via POP3, the message is stuck in the queue telling me the above.
So I do not receive any more messages than the one I included.

I had to disable the POP3 proxy again because all my mails ended up in the queue as being "Bad".

So any help would be appreciated.

Thanks in advance

Daniel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Marcel_01 over 22 years ago in reply to DanielC

ai... nevertheless ... post the mail (the reason) from the proxy, please ...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Benjamin V.H. over 22 years ago in reply to Marcel_01

I would love to but I've since wiped the box. I would have posted when it happened however the webadmin totally stopped working (timed out trying to hit the page) and the Pop3 proxy took down the mail server it was trying to send the MSG to. It kept a POP3 session open and kept hammering it with something. Since I couldn't get into the firewall I couldn't stop it so I just had to wipe it. (I know close to nothing about linux) I'm talking with the person who sent the mail and seeing if I can get a copy of it. It was just a Visio file I think.... I've turned the service back on since then and have not noticed any problems however.

Benjamin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ECKEROTH over 22 years ago in reply to Marcel_01

Yep. Something funny going on here. The POP3 proxy virus scanner kills any PDF file going thru [:S]
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vukasin over 22 years ago in reply to ECKEROTH

Could it be that you have made a too strict "File Extension Filter"?
Note that this filter is a regular expression and is applied to the WHOLE filename.
Who knows? Maybe that is what was causing the problem.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vukasin over 22 years ago in reply to Benjamin V.H.

Wait, are these ougoing or incoming mails we are talking about here?
There is a big difference.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ECKEROTH over 22 years ago in reply to Vukasin

I my case it's incomming PDF files.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Benjamin V.H. over 22 years ago in reply to ECKEROTH

It was an incoming e-mail on my part as well. I don't think it's just PDF files.

Benjamin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanielC over 22 years ago in reply to Benjamin V.H.

And at our side, the CPU load goes to 100% if the AVK and/or SPAM is enabled.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel