GonZor Posted September 24, 2007 Share Posted September 24, 2007 I am running smoothwall v3.0 with pop3 filtering enabled. Every time I get an email notifying me of a reply to a thread my smoothwall detects a virus within the email and replaces the email with the following... This message body was generated automatically by SmoothWall (on smoothwall). It replaces a message sent to you that contained a virus. This message includes the email headers of the infected message. Virus name: <no virusinfo could be examined> Sender: "Hak.5 Forums" <forums@hak5.org> Sent to: simmo_89@internode.on.net Date: Sat, 20 Jan 2001 12:41:46 +1030 Subject: Topic reply: ~Gozor~ Finished Payload Connection data: POP3 from XXX.XXX.X.XXX to XXX.XX.XXX.XXX As you can see it cant identify a virus but it becomes annoying when my emails get replaced. I have not received an email for a PM so I am not sure if it will react the same but I'd like to know if anyone else is having this issue or if this is just some weird setting on my smoothwall. P.S. - I didn't post this in forum support because I believe (know) its an issue with my smoothwall not the forums, else its a strange coincidence that it started the exact time I started running smoothwall 3.0. Quote Link to comment Share on other sites More sharing options...
VaKo Posted September 24, 2007 Share Posted September 24, 2007 If you have more detailed logs you could PM them to me (just to be 100% sure the universe isn't playing dirty), of course they would be kept in confidence. Quote Link to comment Share on other sites More sharing options...
digip Posted September 24, 2007 Share Posted September 24, 2007 Maybe it sees the word hak and filters it out? Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 24, 2007 Share Posted September 24, 2007 Does smoothwall have a updated blacklist thing going on? Because there will have been, at some point, programs that some AV software throw up 'this is a virus because we say so' messages about hosted on hak5.org. Thus may be the hak5 domain/ip made it's way on to some kind of blacklist, thus network protection devices/software throw up warnings even when there is no threat present? This is just a shot in the dark really, but a possibility. Quote Link to comment Share on other sites More sharing options...
puredistortion Posted September 25, 2007 Share Posted September 25, 2007 I have had a quick look and Smoothwall is using Clam AV for it email filtering and most likley that is being called through Amavis or Milter. Now includes a POP3 proxy with support for Anti-Virus using ClamAV. I think the logs for clam by default are in /var/log/clamd.log Also updates are done through cron for this using the command 'freshclam' which will go down and upload new signature files as they are released by the Clam community. I use this in our Linux Gate way product for SMTP filtering and it does a great job especially when used with Spamassasin. Also you may find logging a bit different as it is part of smoothwall and it may handle logging differently. Quote Link to comment Share on other sites More sharing options...
GonZor Posted October 5, 2007 Author Share Posted October 5, 2007 I have figured out that it is not only emails from Hak5.org but all emails that get sent to this account are detected as a virus, when I disable pop3 scanning NOD32 and Avast don't detect any virus's. I originally thought it was only emails from Hak5 (thats basically all I get from that account) but it seems all my emails are being detected as false positives. Has anyone heard of this problem before? This email account is with my ISP so I'm assuming it has something to do with them or the way the emails are received from them. Quote Link to comment Share on other sites More sharing options...
hsncorrosion Posted October 7, 2007 Share Posted October 7, 2007 Maybe its evil server? lol Quote Link to comment Share on other sites More sharing options...
puredistortion Posted October 11, 2007 Share Posted October 11, 2007 Can you white list the domain in the smooth wall GUI? If you can I can go hunting and give you Amavis config options that will white list hak5,org from spam and AV filtering. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.