Attachment scanning problem

Arjen Meek arjen at MEEK.XS4ALL.NL
Wed Oct 30 01:46:29 GMT 2002


Hi,

I'm using Mailscanner 3.24.1 (from Debian unstable) under Debian Woody
(Linux 2.4.19); with Exim 3.35 and McAfee 4.16. There are no dependency
problems. I've set up Exim as suggested in the documentation that came
with the mailscanner_3.13.2-4 Debian package (which I was using at the
time I first installed Mailscanner). Messages which are not infected are
passed on properly, and messages with suspicious attachment names are
detected and modified as they should as well.
However, when I test the mailscanner by sending myself a message with an
infected attachment (in this case "test.com") something goes strangely
wrong. The message I sent is delivered as "Found to be clean" and with
the original (infected) attachment. However, a virus warning message is
sent to postmaster about an infected file (start/end tags by me):

<START>
The following e-mail messages were found to have viruses in them:

Sender:
IP address:
Recipient:
Subject:
MessageID: data
Report: /data/186h1L-0006qf-00/test.com        Found the
W32/Magistr.b at MM virus !!!
<END>

Also, when I'm logged in as root when the message is sent, the following
appears on the console:
<START>
/bin/cp: cannot stat
`/var/spool/mailscanner/incoming/data/186h1L-0006qf-00': No such file or
directory
/bin/cat: /var/spool/mailscanner/incoming/data.header: No such file or
directory
/bin/sed: can't read /var/spool/exim_incoming/input/data-D: No
such file or directory
exim: malformed message id data after -Mc option"
<END>

The syslog record of the whole event:

<START>
mailscanner[26288]: Scanning 1 messages, 82064 bytes
mailscanner[26288]: /data/186h1L-0006qf-00/test.com        Found the
W32/Magistr.b at MM virus !!!
mailscanner[26288]: Found 1 viruses in messages data
mailscanner[26288]: Scanned 1 messages, 82064 bytes in 12 seconds
mailscanner[26288]: Saved infections to
/var/spool/mailscanner/quarantine/20021030/data
mailscanner[26288]: Saved entire message to
/var/spool/mailscanner/quarantine/20021030/data
mailscanner[26288]: Deleting unparsable message data from queue
mailscanner[26288]: Notified postmaster about 1 infections
exim[26340]: 2002-10-30 01:48:01 186h1L-0006qf-00 => arjen
<arjen at meek.xs4all.nl> D=procmail T=procmail_pipe
exim[26340]: 2002-10-30 01:48:01 186h1L-0006qf-00 Completed
mailscanner[26288]: Skipping renamed/deleted attachment 186h1L-0006qf-00
mailscanner[26288]: Scanning 1 messages, 928 bytes
mailscanner[26288]: Scanned 1 messages, 928 bytes in 5 seconds
exim[26359]: 2002-10-30 01:48:19 186h1b-0006qt-00 => arjen
<postmaster at meek.xs4all.nl> D=procmail T=procmail_pipe
exim[26359]: 2002-10-30 01:48:19 186h1b-0006qt-00 Completed
<END>

The only thing that actually gets saved to the quarantine dir is a
zero-byte file called "message".

As far as I can tell with my limited understanding of the program,
Mailscanner somehow unpacks the attachment from the message and
McAfee succesfully finds it to be infected, but Mailscanner loses track
of which message the attachment originally belonged to (maybe the
message has already been delivered by the time it tries to modify it?).
This would explain why the warning mail to postmaster doesn't contain
message info and why the infected message is delivered as if it were
clean.

Also, I've tested exactly the same after temporarily reverting back to
the stable branch mailscanner_3.13.2 package. Same problem, except for
the absence of the error messages on the root console.

But haven't got the slightest idea what causes it. There are no
unconventional settings in my mail system setup (aside from
Mailscanner, and some perl+mime package it depends on, being from the
unstable Debian branch) and Mailscanner is set up using default values
where possible. Both Exim and McAfee seem to be doing what they're
expected to, so imho the problem must have something to do with
Mailscanner.

Am I doing something terribly wrong or is could this be bug-related?

Arjen



More information about the MailScanner mailing list