mailscanner is not processing virus mails of the same kind the same way

Kim Schulz kim at SCHULZ.DK
Wed Aug 20 23:28:47 IST 2003


Hi
We use MAilscanner with spamassassin and F-prot on our Mail proxy, but
in the recent virus attacks we have noticed somthing.
When we get a mail with the Sobig.F virus in it, then somtimes it is
handled as if it is a virus and other times it is handled as a filename
attack. Today one of our users even told me that some of them goes right
through as clean messages.
here's a bit from the messages log:
Aug 20 15:36:23 ns2 razord2[9180]:
/var/spool/MailScanner/incoming/9180/PAA31834/application.pif
Infection: W32/Sobig.F
Aug 20 15:36:24 ns2 razord2[9180]: Filename Checks: Possible MS-Dos
program shortcut attack (application.pif)
Aug 20 15:36:24 ns2 razord2[9180]: Saved infected "application.pif" to
/var/spool/MailScanner/quarantine/20030820/PAA31834
Aug 20 16:25:09 ns2 razord2[982]:
/var/spool/MailScanner/incoming/982/QAA03813/msg-982-17.txt->applicatio
n.pif  Infection: W32/Sobig.F
Aug 20 16:27:03 ns2 razord2[1372]:
/var/spool/MailScanner/incoming/1372/QAA03969/application.pif
Infection: W32/Sobig.F
Aug 20 16:27:03 ns2 razord2[1372]: Filename Checks: Possible MS-Dos
program shortcut attack (application.pif)
Aug 20 16:27:03 ns2 razord2[1372]: Saved infected "application.pif" to
/var/spool/MailScanner/quarantine/20030820/QAA03969
Aug 20 16:33:09 ns2 razord2[1372]:
/var/spool/MailScanner/incoming/1372/QAA04584/application.pif
Infection: W32/Sobig.F
Aug 20 16:33:09 ns2 razord2[1372]: Filename Checks: Possible MS-Dos
program shortcut attack (application.pif)
Aug 20 16:33:09 ns2 razord2[1372]: Saved infected "application.pif" to
/var/spool/MailScanner/quarantine/20030820/QAA04584

as you can see, the messages are handled differently.

Has anyone else experienced that mails with viruses like this can get
right through the filter and get the status Clean?

Best regards
Kim Schulz



More information about the MailScanner mailing list