E-mail scan with McAfee

Ed Ortiz Edward_Ortiz at SSA-SA.SEL.SONY.COM
Wed Nov 28 15:29:01 GMT 2001 

Bruce, I think it is because the message triggered two "alerts" within mailscanner. It first caught that it had a hidden extension, the .doc.com, so it marks this as a virus, secondly McAfee found the Sircam virus, which would be where the second alert comes in.  I've noticed that Mailscanner flags any extensions that break the rules configured in filename.rules.conf as a virus.  Hope this helps.

Ed.

>>> Bruce Huang <y.huang at UTORONTO.CA> 11/28/01 9:07:35 AM >>>
Hi,

I am new to MailScanner and need some advise.  I have
MailScanner 2.60-2 with McAfee installed on Sun Solaris 2.7 with
sendmail 8.12.1.  Everything seems woking fine except when system
sights a file with virus, mailscanner think this with two files.
Thanks for any advise in advance.

Regards,

Bruce


p.s.  The following are the report I got:

The report:

The following e-mail messages were found to have viruses inside the
attachement:

   Sender: <X>
Recipient: <Y>
  Subject: Spa paper 1
MessageID: fAP9dDCc007036
   Report: Attempt to hide real filename extension in Spa paper1.doc.com

   Sender:
Recipient:
  Subject:
MessageID: opt
   Report: /opt/local/mailscanner/var/incoming/fAP9dDCc007036/Spa paper
1.doc.com        Found the W32/SirCam at MM virus !!!


The system log

Nov 26 08:01:29 hudson.geog.utoronto.ca sm-mta[19684]: fAQD1KCc019684:
from=<X>, size=216456, class=0, nrcpts=1,
msgid=<20011126133235.E6A8D1FD54 at bom6.vsnl.net.in>, proto=ESMTP,
daemon=MTA, relay=bom6.vsnl.net.in [202.54.4.38]
Nov 26 08:01:29 hudson.geog.utoronto.ca sm-mta[19684]: fAQD1KCc019684:
to=<Y>, delay=00:00:07, mailer=esmtp, pri=250658, stat=queued

Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
to lock /var/spool/mqueue.in/qffAQD1KCc019684
Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
to lock >/var/spool/MailScanner/incoming/fAQD1KCc019684.header
Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Scanning 1
messages, 217558 bytes
Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Going to scan 1
messages
Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Commencing
scanning...
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Completed
scanning
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Found possible
filename hiding in 2.doc.com
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Found 2 viruses
in messages opt,fAQD1KCc019684
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Scanned 1
messages, 217558 bytes in 1 seconds
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Saved
infections to /var/spool/MailScanner/quarantine/20011126/opt
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Saved
infections to /var/spool/MailScanner/quarantine/20011126/fAQD1KCc0196
84
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Deleting
unparsable message opt from queue
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
to lock >/var/spool/mqueue/dffAQD1KCc019684
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
to lock >/var/spool/mqueue/tffAQD1KCc019684
Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: About to
deliver 2 messages
Nov 26 08:01:55 hudson.geog.utoronto.ca sendmail[19694]: fAQD1t6U019694:
from=root, size=505, class=0, nrcpts=1,
msgid=<200111261301.fAQD1t6U019694 at hudson.geog.utoronto.ca>,
relay=root at localhost 
Nov 26 08:01:55 hudson.geog.utoronto.ca sendmail[19693]:
fAQD1KCc019684: to=<Y>, delay=00:00:33, xdelay=00:00:00,
mailer=esmtp, pri=340658, relay=cirque.geog.utoronto.ca.
[128.100.66.10], dsn=2.0.0, stat=Sent (Data received OK.)

More information about the MailScanner mailing list