Virus blocked only after outbound forwarding attempt

J

jlar310

Renowned Member
Jun 27, 2007
36
0
71
We have a couple of addresses that get forwarded (by our back-end mail system) to addresses outside of our domain. We occasionally get notifications from proxmox that it blocked an outbound virus going to that forwarded external address. So it appears that the message gets past the inbound virus check, is handed off to the back-end server which forwards it to an outside domain and *then* proxmox detects the virus. Why would it not get caught on the inbound virus check which is our highest priority rule?

We have all the latest hotfixes. The message in question is the bogus UPS delivery notification with a zip attachment, which has also been missed by the inbound virus scan and delivered to local addresses. It's only caught on the outbound virus scan.
 
jlar310 said:
We have a couple of addresses that get forwarded (by our back-end mail system) to addresses outside of our domain. We occasionally get notifications from proxmox that it blocked an outbound virus going to that forwarded external address. So it appears that the message gets past the inbound virus check, is handed off to the back-end server which forwards it to an outside domain and *then* proxmox detects the virus. Why would it not get caught on the inbound virus check which is our highest priority rule?

We have all the latest hotfixes. The message in question is the bogus UPS delivery notification with a zip attachment, which has also been missed by the inbound virus scan and delivered to local addresses. It's only caught on the outbound virus scan.
Click to expand...

Seems the virus is not detected because of some unsupported encoding or mime encoding. To analyze, we need the original mail in RAW format (eml).

NOTE: If you forward a mail, the mime message is changed - so that could explain the behavior.

Please can you sent the email with the virus in a password protected zip file to support@proxmox.com?
 
The message was never stored at any point, so I can not provide a copy at this time. It's not happening all that often, so I'm not sure when I'll see another example.
 
just enable the virus quarantine (replace "block" with "quarantine" in your rules)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom