Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Virus Scanner and Spam Filter Issue
  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
Hi,

We are using Kerio Connect 7.4.1, running on Mac OS X Server 10.7. For security reason, I've replaced our actual company domain to companydomain.com.

This morning, a spam email with a virus attachment got through both our virus scanner and spam filter and landed in 80% of our users' inboxes. So I am trying to figure out how exactly that could have happened.

First of all, the email has the from header of xerox.device6@companydomain.com, but return-path header of message<_at_>securebank.com. In our spam filter settings, any email that doesn't have a positive SPF result is automatically flagged as spam. So this should've been picked up as a spam at the very least. But it wasn't. Could it be possible that Kerio doesn't actually match the SPF record against the from header, but just the return-path header? If so, doesn't this kinda defeat the purpose of SPF checking?

Second of all, this email has a zip attachment of the virus tagged s Mal/DwnLdr-W (Sophos webpage here: http://www.sophos.com/en-us/threat-center/threat-analyses/vi ruses-and-spyware/Mal~DwnLdr-W/detailed-analysis.aspx). According to the page this virus has been in the definition since Nov. 14. So why wasn't it picked up on the server? Could it be that Kerio Sophos is not configured to scan into compressed file?

Here is the log in the Kerio mail regarding this email:
[07/Dec/2012 04:23:30] Recv: Queue-ID: 50c1dfbb-00009fcf, Service: SMTP, From: <message@securebank.com>, To: <twu@companydomain>, Size: 99348, Sender-Host: 77.42.243.82, Subject: Scan from a Xerox WorkCentre, Msg-Id: <G5YIWZAQJGKR8AMOHETHKN920BYH1530G93X60<_at_>companydomain.com >

Attached are a screenshot and the header of the actual email.

Thanks.

[Updated on: Fri, 07 December 2012 21:55] by Moderator

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
SPF checks only MAIL FROM address in SMTP communication (later saved as Return-path header). So it obviously cannot stop this email.
That's why Caller-ID was invented - it checks From or Sender email headers.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
tonyswu wrote on Fri, 07 December 2012 19:14
Hi,


Second of all, this email has a zip attachment of the virus tagged s Mal/DwnLdr-W (Sophos webpage here: http://www.sophos.com/en-us/threat-center/threat-analyses/vi ruses-and-spyware/Mal~DwnLdr-W/detailed-analysis.aspx). According to the page this virus has been in the definition since Nov. 14. So why wasn't it picked up on the server? Could it be that Kerio Sophos is not configured to scan into compressed file?

Thanks.


Kerio Connect (Sophos) detects this threat as http://www.sophos.com/en-us/threat-center/threat-analyses/vi ruses-and-spyware/Troj~Agent-ZFE.aspx
Sophos database definition files were updated for this particular file about an hour ago. So it wasn't yet in the database when you received the file.

You can verify it here: https://www.virustotal.com/file/82a1d0f0e216e8d7d2b3e48f840f 95d38e05f0de9e70fb8c8daa9c2ef2eb3d7b/analysis/

[Updated on: Fri, 07 December 2012 21:46]

Previous Topic: Connect Client: no subdirectories below "Sent" and "Trash"
Next Topic: Looking for tips... Moving Connect and Workspace to new Mac Mountain Lion server
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 09:22:06 CEST 2017

Total time taken to generate the page: 0.00471 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.