Possible virus loop hole? |
Post Reply 
|
| Author | |
lyndonje 
Senior Member 
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Possible virus loop hole?Posted: 10 February 2009 at 7:47am |
|
Hello,
A customer has contacted me to say one of the users seems to have received an email containing a virus. I asked them to send me a copy of the email firstly to confirm it does actually contain a vuirus. After not receiving the email, and in checking the logs I found that the email they tried to sent to me was reject because it did contain a virus. Having looked at the headers of the original email, which was only sent a few hours prior, I can see that the email did pass through our SF server. On checking the logs I can see that the TO and FROM address both matched, but were autowhitelisted, which seems to taken priority over the fact SF detected a virus in the email? Log snipped below, using v.4.1.2.801 02/10/09 06:10:33:439 -- (10428) Connection from: 217.175.222.231 - Originating country : Cyprus 02/10/09 06:10:34:251 -- (10428) Received MAIL FROM: <bins@xxx.com> SIZE=53856 02/10/09 06:10:34:439 -- (10428) Received RCPT TO: bins@xxx.com 02/10/09 06:10:34:485 -- (10428) Resolving 217.175.222.231 - 217-175-222-231.dyn-pool.spidernet.net 02/10/09 06:10:34:485 -- (10428) - Mail From and Mail To are equal - 02/10/09 06:10:34:485 -- (10428) 217.175.222.231 - Mail from: bins@xxx.com To: bins@xxx.com will be rejected 02/10/09 06:10:34:485 -- (10428) Bypassed all rules for: bins@xxx.com from bins@xxx.com ( AutoWhiteList Force Delivery) 02/10/09 06:10:36:673 -- (10428) Bypassed all rules for: bins@xxx.com from bins@xxx.com 02/10/09 06:10:36:704 -- (10428) Start virus scan 02/10/09 06:10:36:720 -- (10428) EMail from bins@xxx.com to bins@xxx.com infected with the virus W32/Bagle.QS 02/10/09 06:10:36:720 -- (10428) Starting queueing procedures 02/10/09 06:10:36:720 -- (10428) EMail from bins@xxx.com to bins@xxx.com was queued. Size: 52 KB, 53248 bytes 02/10/09 06:10:36:735 -- (10428) Starting bayesian procedures 02/10/09 06:10:36:767 -- (2728) Sending email from bins@xxx.com to bins@xxx.com -- 02/10/09 06:10:36:782 -- (10488) Time to add Msg to Bayes corpus:0 02/10/09 06:10:36:970 -- (10428) Disconnect 02/10/09 06:10:38:032 -- (2728) EMail from bins@xxx.com to bins@xxx.com -- was forwarded to a.b.c.d:25 |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 February 2009 at 4:11pm |
|
Lyndon, you are absolutely correct here unfortunately. We were able to replicate this, it seems as if whitelisted individuals are treated incorrectly, and emails with viruses are incorrectly whitelisted as well.
We'll have a fix for this ASAP, hopefully within the next 12 hours or less. |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 February 2009 at 4:59pm |
|
Due to the urgency of the issue (and the fact that this bug is caused by a missing single line of code), we've just pre-released the fastest bug fix in our history, adding it to the current enhancements that were in the works. The updated build is 4.1.2.803 and it is available right now in the registered user area of our website.
The bug caused users who where whitelisted either because they were added in the "Whitelisted Emails TO" or because of entries in the AutoWhiteList-forcedelivery filter to receive unfiltered infected emails. |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.184 seconds.