Jump to content

Smoothwall 3, virus from hak5.org?


GonZor
 Share

Recommended Posts

I am running smoothwall v3.0 with pop3 filtering enabled. Every time I get an email notifying me of a reply to a thread my smoothwall detects a virus within the email and replaces the email with the following...

This message body was generated automatically by SmoothWall (on

smoothwall).

It replaces a message sent to you that contained a virus.

This message includes the email headers of the infected message.

Virus name:

    <no virusinfo could be examined>

Sender:

    "Hak.5 Forums" <forums@hak5.org>

Sent to:

    simmo_89@internode.on.net

Date:

    Sat, 20 Jan 2001 12:41:46 +1030

Subject:

    Topic reply: ~Gozor~ Finished Payload

Connection data:

    POP3 from XXX.XXX.X.XXX to XXX.XX.XXX.XXX

As you can see it cant identify a virus but it becomes annoying when my emails get replaced. I have not received an email for a PM so I am not sure if it will react the same but I'd like to know if anyone else is having this issue or if this is just some weird setting on my smoothwall.

P.S. - I didn't post this in forum support because I believe (know) its an issue with my smoothwall not the forums, else its a strange coincidence that it started the exact time I started running smoothwall 3.0.

Link to comment
Share on other sites

Does smoothwall have a updated blacklist thing going on?

Because there will have been, at some point, programs that some AV software throw up 'this is a virus because we say so' messages about hosted on hak5.org. Thus may be the hak5 domain/ip made it's way on to some kind of blacklist, thus network protection devices/software throw up warnings even when there is no threat present?

This is just a shot in the dark really, but a possibility.

Link to comment
Share on other sites

I have had a quick look and Smoothwall is using Clam AV for it email filtering and most likley that is being called through Amavis or Milter.

Now includes a POP3 proxy with support for Anti-Virus using ClamAV.

I think the logs for clam by default are in /var/log/clamd.log

Also updates are done through cron for this using the command 'freshclam' which will go down and upload new signature files as they are released by the Clam community. I use this in our Linux Gate way product for SMTP filtering and it does a great job especially when used with Spamassasin.

Also you may find logging a bit different as it is part of smoothwall and it may handle logging differently.

Link to comment
Share on other sites

  • 2 weeks later...

I have figured out that it is not only emails from Hak5.org but all emails that get sent to this account are detected as a virus, when I disable pop3 scanning NOD32 and Avast don't detect any virus's. I originally thought it was only emails from Hak5 (thats basically all I get from that account) but it seems all my emails are being detected as false positives. Has anyone heard of this problem before? This email account is with my ISP so I'm assuming it has something to do with them or the way the emails are received from them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...