Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 1 subscriber
  • Views 5602 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.104-17][POP3S] UTM configuration

wingman
Hi All

I have configured my GMX account to use POP3S with port 995 (pic below). However, when testing the functionality it seems that emails are not properly scanned for virus. I have used the following online service to check for viruses
Free Email Security Check

I can see that UTM is indeed checking for new emails but

1)It quarantined some of the files but not other ones even though there is an attachment with a "bad" extension 
2013:08:11-11:59:28 ****** pop3proxy[10619]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="securitycheck@emailsecuritycheck.net" to="******@gmx.us" subject="Test mail 1/7 (ID=zFEu5qpmBiQygS94cogyjQ==)" size="3308" srcip="78.47.119.33" dstip="212.227.17.187" uid="0Ll0sP-1VgQj637Qr-00aoll" ident="0/10619-4-1376218768" reason="ext" extra="bat"
2013:08:11-11:59:28 ****** pop3proxy[10619]: id="1100" severity="info" sys="SecureMail" sub="pop3" name="email passed" from="virenschutz@gmxnet.de" to="******@gmx.us" subject="VIRUS SUSPECTED: securitycheck@emailsecuritycheck.net" size="1488" srcip="0.0.0.0" dstip="212.227.17.187" uid="0LwwHY-1WERBb0jHd-016dm4" ident="0/10619-5-1376218768"
2013:08:11-11:59:29 ****** pop3proxy[10619]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="securitycheck@emailsecuritycheck.net" to="******@gmx.us" subject="Test mail 3/7 (ID=zFEu5qpmBiQygS94cogyjQ==)" size="2961" srcip="78.47.119.33" dstip="212.227.17.187" uid="0MgonQ-1VUQ3013Hk-00M0hS" ident="0/10619-6-1376218768" reason="as" extra="confirmed"
2013:08:11-11:59:29 ****** pop3proxy[10619]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="securitycheck@emailsecuritycheck.net" to="******@gmx.us" subject="Test mail 4/7 (ID=zFEu5qpmBiQygS94cogyjQ==)" size="3297" srcip="78.47.119.33" dstip="212.227.17.187" uid="0McQoC-1VQ0Cl2F0K-00Hin1" ident="0/10619-7-1376218769" reason="ext" extra="bat"
2013:08:11-11:59:30 ****** pop3proxy[10619]: id="1100" severity="info" sys="SecureMail" sub="pop3" name="email passed" from="securitycheck@emailsecuritycheck.net" to="******@gmx.us" subject="Test mail 5/7 (ID=zFEu5qpmBiQygS94cogyjQ==)" size="3221" srcip="78.47.119.33" dstip="212.227.17.187" uid="0Ls9Zn-1W8MdV2TR1-013wxx" ident="0/10619-8-1376218769"
2013:08:11-11:59:30 ****** pop3proxy[10619]: id="1100" severity="info" sys="SecureMail" sub="pop3" name="email passed" from="securitycheck@emailsecuritycheck.net" to="******@gmx.us" subject="Test mail 6/7 (ID=zFEu5qpmBiQygS94cogyjQ==)" size="3222" srcip="78.47.119.33" dstip="212.227.17.187" uid="0M8ZyV-1W2vfI0ewd-00wFYa" ident="0/10619-9-1376218770"
2013:08:11-11:59:30 ****** pop3proxy[10619]: id="1100" severity="info" sys="SecureMail" sub="pop3" name="email passed" from="securitycheck@emailsecuritycheck.net" to="******@gmx.us" subject="Test mail 7/7 (ID=zFEu5qpmBiQygS94cogyjQ==)" size="3223" srcip="78.47.119.33" dstip="212.227.17.187" uid="0MTOGl-1VWpxQ1xlX-00SPU0" ident="0/10619-10-1376218770"
2013:08:11-11:59:30 ****** pop3proxy[10619]: Prefetch for account 6 finished (fetched=10, deleted=3, not_on_server=3)


Description of the Test Emails
There are seven test mails our server will try to send:
The first mail (1/7) contains a harmless executable attachment. Even though it is harmless, it should be removed (or replaced) by your attachment blocker. Depending on the configuration of your attachment blocker, this mail may never reach you.
The next mail (2/7) contains a harmless executable attachment, the EICAR anti virus test file in a .zip archive. This file should be detected by every virus checker. Depending on the configuration of your virus checker, this mail may never reach you.
The third mail (3/7) is harmless spam message (GTUBE spam signature), and should be detected by every spam filter. Depending on the configuration of your spam filter, this mail may never reach you.
The remaining four mails (4/7 to 7/7) contain attachments disguised in different ways. Even though the attachments are harmless, they should be removed (or replaced) by your attachment blocker. Depending on the configuration of your attachment blocker, these mails may never reach you.


This thread was automatically locked due to age.
  • 0
    But, Bill, the .bat file WAS blocked at the perimeter.  The ones that got through didn't have a .bat extension until they got to Outlook - this was a mail-client exploit.  The one attachment that was delivered to me by Outlook was an exploit for a different version or client.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Sorry, I edited my post after re-reading your original post again and I agree with you. As I pointed out, the quarantine executable files solves this problem in smtp mails but there is no such option in pop3 section of the UTM.
    Regards
    Bill
  • 0
    I bet you're right.  I think that filter does more of looking inside files to detect real content.

    I just created a copy of write.exe named write.jpg.  It was not blocked by the Extension filter, but the quarantine executable files was not fooled, so the UTM blocked my outbound email.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML