amavis-postfix mime decoding problem
Hi,
I'm receiving a mail virus from a hotmail account. The message passes
through amavis-postfix with antivir. The mail contains "HappyWorm". When I
forward the mail, it does not pass through the mail server and antivir can
detect the virus. Tracking down the problem I found out the following
oddity ?
When amavis decodes the mail, it creates the following file.
msg-20298-4.txt
The content is base64 encoded and starts as
Content-Type: application/octet-stream;
name=query[1].htm
Content-Transfer-Encoding: base64
Content-ID:
Oyku, can you send that e-mail to alex@kel-tek.com I am running Posfix/Amavis with AVP. We'll see if it is an antivirus or amavis problem, because I used amavis/AVP on Sendmail for 2 years (it caught on average 2 viruses per day) and never I had a virus breach the system. On Wednesday 20 March 2002 08:26, Oyku Gencay wrote:
Hi,
I'm receiving a mail virus from a hotmail account. The message passes through amavis-postfix with antivir. The mail contains "HappyWorm". When I forward the mail, it does not pass through the mail server and antivir can detect the virus. Tracking down the problem I found out the following oddity ? When amavis decodes the mail, it creates the following file. msg-20298-4.txt The content is base64 encoded and starts as
Content-Type: application/octet-stream; name=query[1].htm Content-Transfer-Encoding: base64 Content-ID:
PasdASDasdSDQWEASdaseRQDSAdCeTLs...... and continues.
When I decode this part with mimencode -u, it's plain html file with worm code in it. antivir can detect the virus in the htm file but amavis does not decode and scan the file.
Is there anything I'm missing? Other than this, everything works fine with amavis-postfix and antivir. I also tried f-prot but it didn't recognize the encoded file either.
Does anyone know why amavis is not decoding the mime part?
I'm using amavis-postfix, postfix from the suse 7.3 CD's and antivir (latest)
Regards, Oyku Gencay
BTW I tried to scan the encoded file with Norton Antivirus (Win) and it recognized it's encoded and found the virus.
-- Alex Levit Senior Network Engineer Kel-Tek Inc. TEL: 626-571-6927 FAX: 626-571-8794 'Alex@kel-tek.com'
On Wed, 20 Mar 2002, Oyku Gencay wrote:
When amavis decodes the mail, it creates the following file. msg-20298-4.txt [..] Does anyone know why amavis is not decoding the mime part? I'm using amavis-postfix, postfix from the suse 7.3 CD's and antivir (latest)
Which version exactly (rpm -q amavis-postfix)? The version as shipped from CD or did you update amavis-postfix via YOU? Can you send me the _complete_ mail incl. all headers (not just the msg-20298-4.txt). If the mail is somewhat larger, please zip it. You may encrypt it via PGP/GnuPG - may public PGP key can be found at keyserver(s), of course. Thanks. best regards, Rainer Link -- Rainer Link | SuSE Linux AG - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
participants (3)
-
Alex Levit
-
Oyku Gencay
-
Rainer Link