Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 2 subscribers
  • Views 416 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

extension blocking in SMTP proxy sometimes fails

norwich
Hi,

I've just enabled the SMTP extension blocking feateure and for now have blocked exe, com, pif and scr attachment extensions.

The proxy 'fronts' an internal exchange server which has anti-virus software installed. Recently, we're getting a lot of email being cleaned of the Hybris worm which were coming over with exe and scr attachments. I decided to block these at the firewall just to keep these things at more of an arm's length.

When I test from various external mail accounts it all seems to work OK and block the emails. However, I've just had 4 come in over the last 5 minutes. I've checked the exchange logs and they came via the ASL box, which is comfirmed by the SMTP proxy logs.
Any ideas why these would have come through? 


We also have spamassasin running


I've attached the headers of one such email if anyone's interested:

Received: from mail.hidedomain.com (asl.hidedomain.com [192.168.0.1]) by exchange.hidedomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id MG7TH7YP; Wed, 18 Jun 2003 11:39:28 +0100
Received: from [62.253.162.42] (helo=mta02-svc.ntlworld.com)
by mail.hidedomain.com with esmtp (Exim 4.10)
id 19SaKg-0003uF-00
for joe@hidedomain.com; Wed, 18 Jun 2003 11:38:26 +0100
Received: from jamie ([62.255.96.29]) by mta02-svc.ntlworld.com
          (InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
          id 
          for ; Wed, 18 Jun 2003 11:38:14 +0100
From: Hahaha 
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VECPURCXMR"
Message-Id: 
Date: Wed, 18 Jun 2003 11:38:25 +0100
Bcc:
X-Do-Spam-Scan: 1
X-Spam-Score: 1.9 (+)
X-Spam-Flag: NO
X-Spam-Report: SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM: 
SPAM: Content analysis details:   (1.90 hits, 5 required)
SPAM: SPAM_PHRASE_00_01  (0.8 points)  BODY: Spam phrases score is 00 to 01 (low)
SPAM:                    [score: 0]
SPAM: MICROSOFT_EXECUTABLE (0.1 points)  RAW: Message includes Microsoft executable program
SPAM: MISSING_HEADERS    (1.0 points)  Missing To: header
SPAM: 
SPAM: -------------------- End of SpamAssassin results ---------------------
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19SaKg-0003uF-00*/Na1hCo7hwY*

----VECPURCXMR
Content-Type: text/plain; charset="us-ascii"

----VECPURCXMR
Content-Type: application/octet-stream; name="sexy virgin.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sexy virgin.scr"

----VECPURCXMR--
  


This thread was automatically locked due to age.