Goner-A problems - false alarm

brandon pearson (BITS) brandon.pearson at BBSRC.AC.UK
Fri Dec 7 16:45:47 GMT 2001


Our mailhub with mailscanner 2.42/sophos appears to have let some goner
viruses through.

We had an internal outbreak after sophos had been updated. The mail had
arrived before sophos was updated and the user ran it after sophos had been
updated but before the desktops had been updated.

We then got reports from external sites that we were sending out goner
viruses. I traced 188 known virus mails going to the mail hub
mailscanner/sophos quarantined 178 but let 10 through. These 10 were caught
by macafee at the remote site.

The only thing I can find is that each mail that got through recorded a
resource error in the syslog.

Dec  5 11:32:24 mhub2.bbsrc.ac.uk mailscanner[22339]: Failed to lock
/exim/exim_incoming/input/16BaF0-0003aY-04-D: Resource temporarily
unavailable

We get a lot of these errors and I have read on this list that they can be
ignored. The mail hub was busy at the time and mailscanner was running flat
out processing 100 mails at a time.

Any ideas?

Thanks,

Brandon

-----Original Message-----
From: Julian Field [mailto:jkf at ECS.SOTON.AC.UK]
Sent: Wednesday, December 05, 2001 5:44 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Goner-A problems - false alarm


I have now had 3 reports to say that MailScanner is catching it just fine.
:-)
Phew!

I thought it better to alert you (possibly with a false alarm) than sit
around for a day and a half (I'm off to a hospital appt in London tomorrow)
then discover it's a real problem.

I have now seen 3 copies of it myself, all successfully caught by
MailScanner.

But one note of caution: it sounds like it's time for people to remember to
upgrade their Sophos installations, a few people (including me!) were
caught out by having a copy of Sophos so old that they were no longer
getting up-to-date IDE files. Just download it from www.sophos.com and run
"Sophos.install" and all will be well again.

At 17:16 05/12/2001, you wrote:
>MailScanner seems to be having some problems catching the Goner-A virus. On
>my systems it appears to miss it, so presumably the MIME decoding is
>failing to work properly on it.
>
>Until I manage to find the cause and publish the fix, I strongly advise you
>to warn your users about this problem.
>
>Sorry about this, it's the first time it has happened and I will try to
>find a fix as fast as I can. Anyone else who wants to join the bug hunt is
>welcome to try too! I have already contacted the author of the MIME-tools
>module to see if he responds with any ideas.
>
>Sorry again folks :-(
>
>If you have managed to catch it, I would be very interested to hear exactly
>what versions of the MIME-tools module you are using. It may be a bug only
>present in some versions.
>--
>Julian Field                Teaching Systems Manager
>jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
>Tel. 023 8059 2817          University of Southampton
>                             Southampton SO17 1BJ

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list