Smoothwall 3, virus from hak5.org?

[GonZor]

I am running smoothwall v3.0 with pop3 filtering enabled. Every time I get an email notifying me of a reply to a thread my smoothwall detects a virus within the email and replaces the email with the following...

This message body was generated automatically by SmoothWall (on

smoothwall).

It replaces a message sent to you that contained a virus.

This message includes the email headers of the infected message.

Virus name:

    <no virusinfo could be examined>

Sender:

    "Hak.5 Forums" <forums@hak5.org>

Sent to:

    simmo_89@internode.on.net

Date:

    Sat, 20 Jan 2001 12:41:46 +1030

Subject:

    Topic reply: ~Gozor~ Finished Payload

Connection data:

    POP3 from XXX.XXX.X.XXX to XXX.XX.XXX.XXX

As you can see it cant identify a virus but it becomes annoying when my emails get replaced. I have not received an email for a PM so I am not sure if it will react the same but I'd like to know if anyone else is having this issue or if this is just some weird setting on my smoothwall.

P.S. - I didn't post this in forum support because I believe (know) its an issue with my smoothwall not the forums, else its a strange coincidence that it started the exact time I started running smoothwall 3.0.

[VaKo]

If you have more detailed logs you could PM them to me (just to be 100% sure the universe isn't playing dirty),  of course they would be kept in confidence.

[digip]

Maybe it sees the word hak and filters it out?

[Sparda]

Does smoothwall have a updated blacklist thing going on?

Because there will have been, at some point, programs that some AV software throw up 'this is a virus because we say so' messages about hosted on hak5.org. Thus may be the hak5 domain/ip made it's way on to some kind of blacklist, thus network protection devices/software throw up warnings even when there is no threat present?

This is just a shot in the dark really, but a possibility.

[puredistortion]

I have had a quick look and Smoothwall is using Clam AV for it email filtering and most likley that is being called through Amavis or Milter.

Now includes a POP3 proxy with support for Anti-Virus using ClamAV.

I think the logs for clam by default are in /var/log/clamd.log

Also updates are done through cron for this using the command 'freshclam' which will go down and upload new signature files as they are released by the Clam community. I use this in our Linux Gate way product for SMTP filtering and it does a great job especially when used with Spamassasin.

Also you may find logging a bit different as it is part of smoothwall and it may handle logging differently.

[GonZor]

I have figured out that it is not only emails from Hak5.org but all emails that get sent to this account are detected as a virus, when I disable pop3 scanning NOD32 and Avast don't detect any virus's. I originally thought it was only emails from Hak5 (thats basically all I get from that account) but it seems all my emails are being detected as false positives. Has anyone heard of this problem before? This email account is with my ISP so I'm assuming it has something to do with them or the way the emails are received from them.

[hsncorrosion]

Maybe its evil server? lol

[puredistortion]

Can you white list the domain in the smooth wall GUI? If you can I can go hunting and give you Amavis config options that will white list hak5,org from spam and AV filtering.