A virus message saved as spam
Matthijs Althoff
m.althoff at BROMBERG.DEMON.NL
Mon Dec 15 23:29:22 GMT 2003
os : RedHat 9
mailserver: sendmail
mailscanner : 4.25-14
spamassassin: 2.60
Today I found four messages coming in and containing
viruses which are saved as spam instead of a seperate
virus directory under quarantine. Two other messages
coming in are properly contained as virus. Where is
what going wrong?
Dec 15 16:50:12 bromberg sendmail[25427]: hBFFo9u5025427:
from=<bcauthen1 at carolina.rr.com>, size=145631, class=0,
nrcpts=1, msgid=<200312151542.hBFFghov012337 at ms-smtp-03-
eri0.southeast.rr.com>, proto=ESMTP, daemon=MTA, relay=
localhost [127.0.0.1]
Dec 15 16:50:25 bromberg MailScanner[16434]: Message hBFFo9u5025427
from 127.0.0.1 (bcauthen1 at carolina.rr.com) to bromberg.demon.nl
is spam, SpamAssassin (score=9.033, required 5, HTML_30_40 0.81,
HTML_MESSAGE 0.00, HTML_RELAYING_FRAME 0.30, MICROSOFT_EXECUTABLE
0.10, MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, MIME_HTML_
ONLY_MULTI 1.10,MIME_MISSING_BOUNDARY 0.80, MIME_SUSPECT_NAME 0.10,
RCVD_IN_RR_BLACKHOLES 5.00)
Dec 15 16:50:25 bromberg MailScanner[16434]: Spam Actions:
message hBFFo9u5025427 actions are store
$ uvscan hBFFo9u5025427
/var/spool/MailScanner/quarantine/20031215/spam/hBFFo9u5025427
Found the Exploit-MIME.gen.exe virus !!!
==================================
Return-Path: <>
Received: from localhost (localhost [127.0.0.1])
by ******* (8.12.8/8.12.8) with ESMTP id hBFFo9u5025427
for <******>; Mon, 15 Dec 2003 16:50:11 +0100
Received: from pop3.demon.nl
by localhost with POP3 (fetchmail-6.2.0)
for ***** (multi-drop); Mon, 15 Dec 2003 16:50:11 +0100 (CET)
Received: from store-20.mail.nl.demon.net by mailstore
for ******
id 1AVutO-0008gI-1x-0008gM; Mon, 15 Dec 2003 15:44:18 +0000
Received: from incoming-21.mail.nl.demon.net ([194.159.73.161]:4783)
by store-20.mail.nl.demon.net with esmtp (Exim 4.24)
id 1AVutO-0008gI-1x; Mon, 15 Dec 2003 15:44:18 +0000
Received: from ms-smtp-03-lbl.southeast.rr.com ([24.25.9.102]:62954
helo=ms-smtp-03-eri0.southeast.rr.com)
by incoming-21.mail.nl.demon.net with esmtp (Exim 4.24)
id 1AVutM-000Cat-Op; Mon, 15 Dec 2003 15:44:16 +0000
Received: from myyj (cpe-069-132-036-069.carolina.rr.com [69.132.36.69])
by ms-smtp-03-eri0.southeast.rr.com (8.12.10/8.12.7) with SMTP
id hBFFghov012337;
Mon, 15 Dec 2003 10:42:43 -0500 (EST)
Date: Mon, 15 Dec 2003 10:42:43 -0500 (EST)
Message-Id: <200312151542.hBFFghov012337 at ms-smtp-03-eri0.southeast.rr.com>
FROM: "MS Net Delivery System" <mailrobot at america.com>
TO: "mail user" <user at smtpserver.com>
SUBJECT: Undeliverable Message: User unknown
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="xjuuzni"
==================================
More information about the MailScanner
mailing list