whoa! Palyh-A getting thru MS 4.20-3

Jeff A. Earickson jaearick at COLBY.EDU
Mon May 19 18:53:55 IST 2003


Julian,

   I've just noticed this morning that, in my case, Palyh-A is actually
being delivered, when my setting for virii is "delete".  The syslog for
a message says:

May 19 12:05:20 emerald sendmail[8805]: [ID 801593 mail.info]
   h4JG5Hox008805: from=<support at microsoft.com>, size=71123, class=0,
   nrcpts=1, msgid=<200305191605.h4JG5Hox008805 at emerald.colby.edu>,
   proto=ESMTP, daemon=MTA, relay=[195.137.106.133]
May 19 12:05:24 emerald MailScanner[24302]: Message h4JG5Hox008805 from
   195.137.106.133 (support at microsoft.com) to colby.edu is spam, SpamAssassin
   (score=8.8, required 4, BAYES_70, FORGED_MUA_OUTLOOK,
   MICROSOFT_EXECUTABLE, MISSING_MIMEOLE, MSG_ID_ADDED_BY_MTA_3,
   NO_REAL_NAME, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK)
May 19 12:05:24 emerald MailScanner[24302]: Spam Actions: message
   h4JG5Hox008805 actions are deliver,striphtml
May 19 12:05:26 emerald MailScanner[24302]: INFECTED:: W32/Palyh-A::
   ./h4JG5Hox008805/approved.pif

My sophos ides have an entry for Palyh-A (unless Sophos blew it, and it
is no good).  Setup: Solaris 8, sophossavi, sophos 3.69, MS 4.20-3,
SA 2.54, razor2, perl 5.8.0.

I have had a couple of queries this morning about why people got email
from microsoft (I got one too), but the email had no attachment.  How
come SA scanned the message before the virus scan above?

-----------------------------------
Jeff A. Earickson, Ph.D
Senior UNIX Sysadmin and Email Guru
Information Technology Services
Colby College, 4214 Mayflower Hill,
Waterville ME, 04901-8842
phone: 207-872-3659 (fax = 3076)
-----------------------------------



More information about the MailScanner mailing list