Possible Virus in our Mdaemon?

[pixel_ninja]

Recently staff have complained that the attachments(.pdf) that they have been sending out to clients are being removed. What I then did was resent the message to my personal yahoo and gmail accounts to see if they would also bounce. Interestingly, yahoo accepted the email, but the same email to google was rejected citing :

SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [209.xxx.229.27]:
552-5.7.0 Our system detected an illegal attachment on your message.
Please
552-5.7.0 visit http://mail.google.com/support/bin/answer.py?answer=6590
to
552 5.7.0 review our attachment guidelines. fj8si1641040wbb.54

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 1795047 characters long; only the first
------ 16384 or so are included here.

While we do have an antivirus plugin for mdaemon, as well as symantec endpoint on the server(as well as staff machines), I am worried that there is a virus that is attaching itself to emails which is causing this(although I've only ever seen attachments being removed when they were .pdf) Virus or not, there must be something that is causing the attachments to be identified as illegal attachments. Hopefully someone who has experienced something similar can shed some light.

 

[Brandon]

Has anybody complained of receiving strange attachments such as .pif, .scr, .exe, etc or have messages bounced back to your staff with virus warnings?

If you zip or rar the pdf prior to sending does it go through?

In MDaemon you can try disabling compression for outbound attachments (security -> content filter -> compression)
Check what attachments are allowed in the content filter & block all attachments google does not accept:
ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msc, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf, wsh

Also try sending some test mails with pdf attachments via Worldclient, do they also bounce?

If you still have problems I'll PM you an email address to send some test messages.




IMHO Symantec is not the greatest - when next your upgrade is due, take a look at Kaspersky Business Space for a good centrally managed AV.

 

[Ivork]

Can we see a full smtp log? Smtp-in and smtp-out for an example failed message.
As Brandon said, what message gets returned to the sender - and who is it from (mdaemon or the recipients server)?

Security Plus (I assume it is security plus) is a pretty darn good email scanner and scans ingoing & outgoing.
If it's all up-to-date i say it's pretty unlikely it's letting a virus thru.

Ja Endpoint sucks - not to mention the load on your mailserver.
Whatever you do make sure the whole Mdaemon directory is excluded from everything.