Sobig bypassing mailscanner queues

Julian Field mailscanner at ecs.soton.ac.uk
Thu Aug 21 11:09:38 IST 2003 

You might have something which has restarted the sendmail daemon as per
your original system setup.
Kill all the sendmail processes that are running, and re-start them using
the MailScanner startup script so it runs them right.

That's the only possibility really that could cause messages coming from
the outside world to go straight into mqueue and not mqueue.in.

At 10:51 21/08/2003, you wrote:
>We're having severe difficulties in trapping all the sobig virus, as a
>small percentage seems to be by passing the mailscanner input queues,
>i.e. the messages appear to be  being put directly in the output queue,
>as we also trap on pif and scr via filename rules.
>
>Incidentally we trapped 118,555 instances of the sobig virus yesterday.
>
>Unfortunately we don't seem to be able to repeat or trace these
>messages. I wonder if there is anyone one on the list who is able to
>help? We are running sendmail and I suspect our sendmail configuration.
>
>Here is an example from the mail log:-
>
>
>g 21 03:47:20 angelo sendmail[13587]: [ID 801593 mail.info]
>h7L2lJ6V013587: from=<cgowling at hotmail.com>, size=103238, class=0,
>nrcpts=1, msgid=<200308210247.h7L2lJ6V013587 at angelo.kcl.ac.uk>,
>proto=SMTP, daemon=MTA, relay=ent.umds.ac.uk [159.92.16.14]
>Aug 21 03:47:20 angelo sendmail[13590]: [ID 801593 mail.info]
>h7L2lJ6V013587: to=user1, delay=00:00:00, xdelay=00:00:00, mailer=local,
>pri=120544, dsn=2.0.0, stat=Sent
>Aug 21 03:47:20 angelo sendmail[13590]: [ID 801593 mail.info]
>h7L2lJ6V013587: to=user2, delay=00:00:00, xdelay=00:00:00, mailer=local,
>pri=120544, dsn=2.0.0, stat=Sent
>Aug 21 03:47:20 angelo sendmail[13590]: [ID 801593 mail.info]
>h7L2lJ6V013587: to=user3, delay=00:00:00, xdelay=00:00:00, mailer=local,
>pri=120544, dsn=2.0.0, stat=Sent
>
>The header has not been signed by the mailscanner here as we have a
>different signature.
>
>Thanks for any pointers.
>
>
>----------------------
>Joan Bryan
>Unix Systems Administrator
>Information Systems
>Telephone: +44 (0) 20 7848 2671
>mailto:joan.bryan at kcl.ac.uk

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list