Email Vulnerabilities
Julian Field
mailscanner at ecs.soton.ac.uk
Tue Sep 24 17:53:03 IST 2002
I'll work on this tonight.
The "not forking" and then stopping in debug mode is what it's supposed to do.
It stays in the foreground, does 1 scan of the mail queue, processes what
it finds and then stops.
At 17:31 24/09/2002, you wrote:
>Hello,
>
> > > >One thing I am wondering with, why does this eicar.com gfi test email
>goes
> > > >to my outlook express deleted items with a modified subject {VIRUS?}
> > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body
>and
> > > >the attachment is intact with the filename eicar.com. im just wondering
> > > >about this.
> > >
> > > Can anyone else corroborate this? V3 should have deleted the entire
> > > message in each of those cases.
>
>I have the same, I upgraded also from the rpm to version: mailscanner-3.23-1
>
>When i put debugging on 1 and restart mailsccanner, mailscanner stops after
>" In Debugging mode, not forking...". Is this normal ?
>
>When i run the :http://www.gfi.com/emailsecuritytest/ test and mailscanner
>in debug mode i see this message in the logs, watch the Oh shit messages !:
>
>[root at mail etc]# cat /var/log/maillog |grep g8OEwF113849
>Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific
>exploits in g8OEwF113849
>Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages
>g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390
>9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113
>977,g8OEwI113962,g8OEwF113814
>Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in
>message :-( g8OEwF113849
>Sep 24 17:00:36 mail mailscanner[14094]: Saved entire message to
>/var/spool/MailScanner/quarantine/20020924/g8OEwF113849
>Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific
>exploits in g8OEwF113849
>Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages
>g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379
>8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962
>Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in
>message :-( g8OEwF113849
>Sep 24 17:05:30 mail mailscanner[15462]: Saved entire message to
>/var/spool/MailScanner/quarantine/20020924/g8OEwF113849
>Sep 24 17:05:34 mail sendmail[15711]: g8OEwF113849: to=jeroen,
>delay=00:07:18, xdelay=00:00:00, mailer=local, pri=132087, dsn=2.0.0,
>stat=Sent
>Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages
>g8OEwD113772,g8OEwE113798,g8OEwF113849
>[root at mail etc]# cat /var/log/maillog |grep g8OEwE113798
>Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific
>exploits in g8OEwE113798
>Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages
>g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390
>9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113
>977,g8OEwI113962,g8OEwF113814
>Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in
>message :-( g8OEwE113798
>Sep 24 17:00:35 mail mailscanner[14094]: Saved entire message to
>/var/spool/MailScanner/quarantine/20020924/g8OEwE113798
>Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific
>exploits in g8OEwE113798
>Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages
>g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379
>8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962
>Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in
>message :-( g8OEwE113798
>Sep 24 17:05:29 mail mailscanner[15462]: Saved entire message to
>/var/spool/MailScanner/quarantine/20020924/g8OEwE113798
>Sep 24 17:05:33 mail sendmail[15711]: g8OEwE113798: to=jeroen,
>delay=00:07:19, xdelay=00:00:00, mailer=local, pri=130691, dsn=2.0.0,
>stat=Sent
>Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages
>g8OEwD113772,g8OEwE113798,g8OEwF113849
>[root at mail etc]#
>
>Maybe this info is usefull to tackle the splitting message thing.
>
>Regards,
>
>Jeroen
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list