SMTP/Pop3 Proxy Virus protection too strict. Major mail bug.

I wasn't getting an e-mail from a client. So I checked the Proxy Content Manager and there are a LARGE number of e-mails (300 +) and a lot of them are classified:

This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.

I have an Extension filter enabled on the Pop3 as well as virus protection but the extension filter is simply for harmful extensions. After looking at the content manager they all seem to be the same e-mail... It’s a .pdf from a trusted person (I know him) they also seem to repeat every few minutes. See sample below.

2002-12-17-14-12-46-23237-1 pop3 2002-12-17 14:34
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-58-21217-1 pop3 2002-12-17 14:27
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-59-20602-1 pop3 2002-12-17 14:25
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-04-18838-1 pop3 2002-12-17 14:22
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-04-17914-1 pop3 2002-12-17 14:18
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-59-17617-1 pop3 2002-12-17 14:17
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-57-17316-1 pop3 2002-12-17 14:16
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-56-16983-1 pop3 2002-12-17 14:15
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-01-15215-1 pop3 2002-12-17 14:10
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-59-14928-1 pop3 2002-12-17 14:08
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-14-12-56-14010-1 pop3 2002-12-17 14:05
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-49-11308-1 pop3 2002-12-17 13:56
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-10975-1 pop3 2002-12-17 13:55
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-10346-1 pop3 2002-12-17 13:53
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-48-9145-1 pop3 2002-12-17 13:49
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-8850-1 pop3 2002-12-17 13:48
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-46-7925-1 pop3 2002-12-17 13:45
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-45-7638-1 pop3 2002-12-17 13:44
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-44-7343-1 pop3 2002-12-17 13:43
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-44-6769-1 pop3 2002-12-17 13:41
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-51-5601-1 pop3 2002-12-17 13:37
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-47-4077-1 pop3 2002-12-17 13:32
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-45-3166-1 pop3 2002-12-17 13:29
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-44-2867-1 pop3 2002-12-17 13:28
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-38-1347-1 pop3 2002-12-17 13:23
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-39-32593-1 pop3 2002-12-17 13:21
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-38-32260-1 pop3 2002-12-17 13:20
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-36-31370-1 pop3 2002-12-17 13:17
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-08-30833-1 pop3 2002-12-17 13:16
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-51-29952-1 pop3 2002-12-17 13:12
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-49-29657-1 pop3 2002-12-17 13:11
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-48-29310-1 pop3 2002-12-17 13:10
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-46-29023-1 pop3 2002-12-17 13:09
  This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.
2002-12-17-13-12-45-28723-1 pop3 2002-12-17 13:08

Also found these in the Pop3 logs.

Pop3 logs...

Dec 17 00:59:51 (none) pop3vscan[28580]: Session done (Critial abort). Mails: 0 Bytes: 0
Dec 17 00:59:51 (none) pop3vscan[571]: Attention: child with pid 28580 died with abnormal termsignal (11)! This is probably a bug. Please report to the author. numprocs is now 0
Dec 17 01:01:18 (none) pop3vscan[29032]: Connection from 68.52.XXX.XXX:1176

Dec 17 01:10:23 (none) pop3vscan[31725]:  pointer: 3221224284
Dec 17 01:10:23 (none) pop3vscan[31725]: We can't say if it is a virus! So we have to give the client the mail! You should check your configuration/system
Dec 17 01:10:28 (none) pop3vscan[31725]: Session done (Clean Exit). Mails: 1 Bytes: 127330

Also noted that the odd graphic bug were if I try to view a livelog or something it pops open the window but will not display the content, this happens when I'm displaying 10 items on the Proxy Content Manager however if I change the view to 200, I can view about 1/3 of them and the rest keep the same bug. It seems to be random on which ones it will display.

Let me know what you guys think! Thanks.

Benjamin

Parents

0 Marcel_01 over 23 years ago

that sounds very interesting.. is there a way to get the pdf file? (if it's not confidential, please mail it to mgehrlein@astaro.com, thx!)

did just one mail create that logs?

cheers
Marcel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanielC over 22 years ago in reply to Marcel_01

I have exactly the same, even when there is no attachment!
It seems to be the content filtering.
---------------
This message was intercepted by the POP3 proxy. It contains a virus or other harmful content.

------
Subject: test 1
Date: Mon, 10 Feb 2003 09:11:35 +0100
Organization: VUB ETRO
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0011_01C2D0E4.696B5D40"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *18i92Q-0000Dd-00*zXFN1Xtb2xE*
X-Virus-Scanner: POP3VScan Version 0.4 by

This is a multi-part message in MIME format.

------=_NextPart_000_0011_01C2D0E4.696B5D40
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

------=_NextPart_000_0011_01C2D0E4.696B5D40
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Message

------=_NextPart_000_0011_01C2D0E4.696B5D40--
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel_01 over 22 years ago in reply to DanielC

ai... nevertheless ... post the mail (the reason) from the proxy, please ...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Benjamin V.H. over 22 years ago in reply to Marcel_01

I would love to but I've since wiped the box. I would have posted when it happened however the webadmin totally stopped working (timed out trying to hit the page) and the Pop3 proxy took down the mail server it was trying to send the MSG to. It kept a POP3 session open and kept hammering it with something. Since I couldn't get into the firewall I couldn't stop it so I just had to wipe it. (I know close to nothing about linux) I'm talking with the person who sent the mail and seeing if I can get a copy of it. It was just a Visio file I think.... I've turned the service back on since then and have not noticed any problems however.

Benjamin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ECKEROTH over 22 years ago in reply to Marcel_01

Yep. Something funny going on here. The POP3 proxy virus scanner kills any PDF file going thru [:S]
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vukasin over 22 years ago in reply to ECKEROTH

Could it be that you have made a too strict "File Extension Filter"?
Note that this filter is a regular expression and is applied to the WHOLE filename.
Who knows? Maybe that is what was causing the problem.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vukasin over 22 years ago in reply to Benjamin V.H.

Wait, are these ougoing or incoming mails we are talking about here?
There is a big difference.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ECKEROTH over 22 years ago in reply to Vukasin

I my case it's incomming PDF files.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Benjamin V.H. over 22 years ago in reply to ECKEROTH

It was an incoming e-mail on my part as well. I don't think it's just PDF files.

Benjamin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanielC over 22 years ago in reply to Benjamin V.H.

And at our side, the CPU load goes to 100% if the AVK and/or SPAM is enabled.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ECKEROTH over 22 years ago in reply to Marcel_01

Marcel, you wanted a mail from the pop3 proxy. Heres one:

Return-Path:
Received: from post.scanweb.dk ([80.80.18.2]) by post.commit-as.dk
(Post.Office MTA v3.5.3 release 223 ID# 0-69967U100L2S100V35)
with ESMTP id dk for ;
Thu, 13 Feb 2003 07:30:40 +0100
Received: from [192.168.1.12] (helo=SOCS)
by post.scanweb.dk with smtp (Exim 4.10)
id 18jCwH-0007f7-00
for postmaster@commit-as.dk; Thu, 13 Feb 2003 07:33:41 +0100
Subject: Subject: em42[:P]op3:guid:3e4b3d7800000c59
To: postmaster@commit-as.dk
From: ipmonitor@scanweb.dk
Message-Id:
Date: Thu, 13 Feb 2003 07:33:41 +0100
X-Spam-Score: 0.5 (/)
X-Spam-Flag: NO
X-Spam-Report: SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (0.5 hits, 5 required)
SPAM: NO_REAL_NAME (0.5 points) From: does not include a real name
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *18jCwH-0007f7-00*YixQ/I.sOT6*
X-Virus-Scanner: POP3VScan Version 0.4 by

This is a message used internally by ipMonitor to test the
send and receive ability of a specific POP3 Mail Server. This message
may appear because ipMonitor gave up on the server (due to
the "Stop test After" limit).

ipMonitor considered the transaction linked to this message
a failure.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel_01 over 22 years ago in reply to ECKEROTH

ok.. another try on this...I think there's a misunderstanding here..

as mentioned above, please post the mail you see in the content manager as well as the mail you receive from the proxy with the exact reason why your original mail has been blocked (the whole mail please). [:)]

cheers
marcel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Marcel_01 over 22 years ago in reply to ECKEROTH

ok.. another try on this...I think there's a misunderstanding here..

as mentioned above, please post the mail you see in the content manager as well as the mail you receive from the proxy with the exact reason why your original mail has been blocked (the whole mail please). [:)]

cheers
marcel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 DanielC over 22 years ago in reply to Marcel_01

Hi Marcel,

I posted the full mail and the full responce yesterday in the proxy forum
https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/26538

Sorry for the inconvenience

Daniel

PS I nottice yesterday also an entry in the pop3 log
Feb 12 15:45:01 (none) pop3vscan[17135]: Session done (Clean Exit). Mails: 0 Bytes: 0
Feb 12 15:45:19 (none) pop3vscan[16187]: Cannot connect to real-server
Feb 12 15:45:19 (none) pop3vscan[16187]: Session done (Critial abort). Mails: 0 Bytes: 0
Feb 12 15:45:19 (none) pop3vscan[12447]: Attention: child with pid 16187 died with abnormal termsignal (11)! This is probably a bug. Please report to the author. numprocs is now 0
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel_01 over 22 years ago in reply to DanielC

answered there...

for your log-sniplet: since the proxy works transparent, there is no need to connect directly to it. in other words: this error occurs, when you enter the firewalls' ip address in your mailclient and the proxy tries to connect to itself...

cheers
marcel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanielC over 22 years ago in reply to Marcel_01

Marcel,

Then maybe the problem has something to do with this...
In order to be able to scan also internal mails, our clients have the outside of the firewall configured as outgoing mailserver. And the proxy at the ASL then relays the messages for our domain to our internal mailserver as if they were from outside.
The smarthost of the ASL is the mailserver form our ISP
I hope there is no loop in this scenario?

Thanks anyway for the clarification
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel