Email Vulnerabilities

Julian Field mailscanner at ecs.soton.ac.uk
Tue Sep 24 18:24:38 IST 2002 

Bug sorted.

Either apply this patch (only relevant to v3, not v4) or give me 5 minutes
and you can download 3.23-2

--- explode.pl.old      Tue Sep 24 18:34:51 2002
+++ explode.pl  Tue Sep 24 18:34:21 2002
@@ -343,7 +343,7 @@
    for ($i=0; $i<@parts; $i++) {
      ($infectednum=$i),last if $parts[$i]==$infected;
    }
-  Log::WarnLog("Oh shit, missed infected entity in message :-( $MsgId"),
return
+  Log::WarnLog("Oh bother, missed infected entity in message :-( $MsgId"),
return
      if $infectednum<0;

    # Now to actually do something about it...
@@ -420,6 +420,10 @@
                        $id,
                        $filename,
                        $basedir);
+
+      # If we just replaced the entire message, don't try any more
+      # disinfecting (cleaning) on this message as it isn't there any more.
+      last if $file eq "";
      }

      # Mark the message as disinfected, if the user wants us to

At 17:53 24/09/2002, you wrote:
>I'll work on this tonight.
>
>The "not forking" and then stopping in debug mode is what it's supposed to do.
>It stays in the foreground, does 1 scan of the mail queue, processes what
>it finds and then stops.
>
>At 17:31 24/09/2002, you wrote:
>>Hello,
>>
>> > > >One thing I am wondering with, why does this eicar.com gfi test email
>>goes
>> > > >to my outlook express deleted items with a modified subject {VIRUS?}
>> > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body
>>and
>> > > >the attachment is intact with the filename eicar.com. im just wondering
>> > > >about this.
>> > >
>> > > Can anyone else corroborate this? V3 should have deleted the entire
>> > > message in each of those cases.
>>
>>I have the same, I upgraded also from the rpm to version: mailscanner-3.23-1
>>
>>When i put debugging on 1 and restart mailsccanner, mailscanner stops after
>>" In Debugging mode, not forking...". Is this normal ?
>>
>>When i run the :http://www.gfi.com/emailsecuritytest/ test and mailscanner
>>in debug mode i see this message in the logs, watch the Oh shit messages !:
>>
>>[root at mail etc]# cat /var/log/maillog |grep g8OEwF113849
>>Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific
>>exploits in g8OEwF113849
>>Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages
>>g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390
>>9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113
>>977,g8OEwI113962,g8OEwF113814
>>Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in
>>message :-( g8OEwF113849
>>Sep 24 17:00:36 mail mailscanner[14094]: Saved entire message to
>>/var/spool/MailScanner/quarantine/20020924/g8OEwF113849
>>Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific
>>exploits in g8OEwF113849
>>Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages
>>g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379
>>8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962
>>Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in
>>message :-( g8OEwF113849
>>Sep 24 17:05:30 mail mailscanner[15462]: Saved entire message to
>>/var/spool/MailScanner/quarantine/20020924/g8OEwF113849
>>Sep 24 17:05:34 mail sendmail[15711]: g8OEwF113849: to=jeroen,
>>delay=00:07:18, xdelay=00:00:00, mailer=local, pri=132087, dsn=2.0.0,
>>stat=Sent
>>Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages
>>g8OEwD113772,g8OEwE113798,g8OEwF113849
>>[root at mail etc]# cat /var/log/maillog |grep g8OEwE113798
>>Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific
>>exploits in g8OEwE113798
>>Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages
>>g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390
>>9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113
>>977,g8OEwI113962,g8OEwF113814
>>Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in
>>message :-( g8OEwE113798
>>Sep 24 17:00:35 mail mailscanner[14094]: Saved entire message to
>>/var/spool/MailScanner/quarantine/20020924/g8OEwE113798
>>Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific
>>exploits in g8OEwE113798
>>Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages
>>g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379
>>8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962
>>Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in
>>message :-( g8OEwE113798
>>Sep 24 17:05:29 mail mailscanner[15462]: Saved entire message to
>>/var/spool/MailScanner/quarantine/20020924/g8OEwE113798
>>Sep 24 17:05:33 mail sendmail[15711]: g8OEwE113798: to=jeroen,
>>delay=00:07:19, xdelay=00:00:00, mailer=local, pri=130691, dsn=2.0.0,
>>stat=Sent
>>Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages
>>g8OEwD113772,g8OEwE113798,g8OEwF113849
>>[root at mail etc]#
>>
>>Maybe this info is usefull to tackle the splitting message thing.
>>
>>Regards,
>>
>>Jeroen
>
>--
>Julian Field                Teaching Systems Manager
>jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
>Tel. 023 8059 2817          University of Southampton
>                             Southampton SO17 1BJ

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list