Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 9707 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP e-mail with virus not checked when it is from the internal domain.

stephan.davidse

When UTM9.x recieves a smtp e-mail and the sender adres is from the "internal" domain.

UTM 9.x doesnt scan for virusses. even when it is send from outside the network it is passed to the mail server without checking.

Just change in your email client (from home for example ) your sender adress to for example "info@yourcompany.com"

and send a email to yourname@yourcompany.com

Tested it with eicar.txt and it passes to the internal mail server. (not checked because of internal domain)

Change the sender to info@sophos.com and spf will block the email

Change the sender to yourname@hotmail.com and it is rejected containing malware ( as it should )

when using a blacklisted extention it will block the email

when using a blacklisted recipient it will block the email

How can check incoming email for all domains and not pass malware



This thread was automatically locked due to age.
Parents
  • 0

    Hi S72,

    There's an option to enable the scanning of outgoing mails on the bottom of Email Protection > SMTP > Relaying tab. If you turn that on, malware and spam mails will be blocked from your internal domain as well.

    I hope I could help!

    Kind regards,
    Niriel~

Reply
  • 0

    Hi S72,

    There's an option to enable the scanning of outgoing mails on the bottom of Email Protection > SMTP > Relaying tab. If you turn that on, malware and spam mails will be blocked from your internal domain as well.

    I hope I could help!

    Kind regards,
    Niriel~

Children
  • 0 in reply to Tamas Bajaki

    Hi Niriel,

    This workarround worked. Now it stops the virus (eicar).
    Thanks for the tip.. i hope they will sove this soon. Because this is clearly incomming mail and not outgoing.

    Regards

    Stephan

  • 0 in reply to stephan.davidse

    Hi Stephan,

    You can argue that such a mail is incoming, as the recipient is in the internal domain. But in the same way you can also argue that it is outgoing as the sender is in the internal domain. To avoid this, we could move these kind of mails into a third, "internal" category where both the sender and the recipient is in the internal domain, but that would overcomplicate a lot of things. So to keep things more simple, we have decided to mark such mails as outgoing, since it makes more sense from a company security view: Outgoing rules are usually more lax since the company presumes its users / employees will not send any spam / malware intentionally - this should hold true even if the recipient is part of the same company.

    However, if you would still like for this to be changed, please submit a feature request at http://feature.astaro.com where the suggestion will be looked at if enough other users agree that it would be a welcome change.

    Kind regards,
    Niriel~

  • 0 in reply to Tamas Bajaki

    Hi Niriel,

    Sorry for the late reply, missed your message. In my opinion outgoing email is email send by the organisation from the hosts that are alowed to send email for that organisation. Also if you read the comments with Content Scan for relayed (outgoing) messages it wouldn't apply.

    The RISK
    sending a eicar file from powershell will be accepted by the utm and passed to the mail server from anywere on internet because the utm accepts it as "internal"
    example : Send-MailMessage -From scanner@domain.com -Subject "Test eicar" -To targetuser@domain.com -Attachments c:\temp\eicar.txt -SmtpServer mx.domain.com 

    Scanning outgoing will prevent it but if not checked its a huge security risk. 

    When sending a eicar file with the same setup

    Send-MailMessage -From scanner@otherdomain.com -Subject "Test eicar" -To targetuser@domain.com -Attachments c:\temp\eicar.txt -SmtpServer mx.domain.com 

    the eicar is detected.

    so we can ask all people that spread malware not to send from domain.com to domain.com or change this bug in the utm and scan all incomming email.

Unfiltered HTML