mailscanner is not processing virus mails of the same kind the same way

Julian Field mailscanner at ecs.soton.ac.uk
Thu Aug 21 11:35:50 IST 2003 

Check you have all the MIME-tools security patches installed. There might
be something funny going on with the quotes on the end of the filename in
the MIME header.

At 23:28 20/08/2003, you wrote:
>Hi
>We use MAilscanner with spamassassin and F-prot on our Mail proxy, but
>in the recent virus attacks we have noticed somthing.
>When we get a mail with the Sobig.F virus in it, then somtimes it is
>handled as if it is a virus and other times it is handled as a filename
>attack. Today one of our users even told me that some of them goes right
>through as clean messages.
>here's a bit from the messages log:
>Aug 20 15:36:23 ns2 razord2[9180]:
>/var/spool/MailScanner/incoming/9180/PAA31834/application.pif
>Infection: W32/Sobig.F
>Aug 20 15:36:24 ns2 razord2[9180]: Filename Checks: Possible MS-Dos
>program shortcut attack (application.pif)
>Aug 20 15:36:24 ns2 razord2[9180]: Saved infected "application.pif" to
>/var/spool/MailScanner/quarantine/20030820/PAA31834
>Aug 20 16:25:09 ns2 razord2[982]:
>/var/spool/MailScanner/incoming/982/QAA03813/msg-982-17.txt->applicatio
>n.pif  Infection: W32/Sobig.F
>Aug 20 16:27:03 ns2 razord2[1372]:
>/var/spool/MailScanner/incoming/1372/QAA03969/application.pif
>Infection: W32/Sobig.F
>Aug 20 16:27:03 ns2 razord2[1372]: Filename Checks: Possible MS-Dos
>program shortcut attack (application.pif)
>Aug 20 16:27:03 ns2 razord2[1372]: Saved infected "application.pif" to
>/var/spool/MailScanner/quarantine/20030820/QAA03969
>Aug 20 16:33:09 ns2 razord2[1372]:
>/var/spool/MailScanner/incoming/1372/QAA04584/application.pif
>Infection: W32/Sobig.F
>Aug 20 16:33:09 ns2 razord2[1372]: Filename Checks: Possible MS-Dos
>program shortcut attack (application.pif)
>Aug 20 16:33:09 ns2 razord2[1372]: Saved infected "application.pif" to
>/var/spool/MailScanner/quarantine/20030820/QAA04584
>
>as you can see, the messages are handled differently.
>
>Has anyone else experienced that mails with viruses like this can get
>right through the filter and get the status Clean?
>
>Best regards
>Kim Schulz

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list