strange behaviour detected with W32/Mimail@MM

Mariano Absatz mailscanner at LISTS.COM.AR
Thu Sep 4 20:30:32 IST 2003


Hi Julian,

I know I wrote this a month ago, but I couldn't lay my hands on a spare 
server... I upgraded one of the production servers to MailScanner 4.23-11 
today and I'm getting the same results.

I think all the McAfee reports are disappearing from $message->{allreports} 
somehow... I think this 'cause I modified the SQL loggin' routines to get a 
plain text log in real time and I only see filename reports there, never a 
virus report...

Here's a log sample with the current version of MailScanner:

Sep  4 16:11:46 or Alerce-OR[24018]: New Batch: Scanning 1 messages, 29148 
bytes 
Sep  4 16:11:46 or Alerce-OR[24018]: Spam Checks: Starting 
Sep  4 16:11:46 or Alerce-OR[24018]: Virus and Content Scanning: Starting 
Sep  4 16:11:47 or Alerce-OR[24018]: /app/mailScanner.4.23-
11/var/incoming/24018/130309/message.zip        Found the W32/
Mimail at MM virus !!! 
Sep  4 16:11:47 or Alerce-OR[24018]: Virus Scanning: McAfee found 1 
infections 
Sep  4 16:11:47 or Alerce-OR[24018]: Virus Scanning: Found 1 viruses 
Sep  4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing msg-24018-
1.txt 
Sep  4 16:11:47 or Alerce-OR[24018]: Filename Checks: Allowing message.zip 
Sep  4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing msg-24018-
1.txt 
Sep  4 16:11:47 or Alerce-OR[24018]: Filetype Checks: Allowing message.zip 
Sep  4 16:11:47 or Alerce-OR[24018]: ZM: message 130309 renamed into 1563661 
Sep  4 16:11:47 or Alerce-OR[24018]: Uninfected: Delivered 1 messages 

You can see that McAfee does find the virus (and logs it), but lastly, it 
says it delivered the message 'cause it was uninfected

El 4 Aug 2003 a las 10:33, Mariano Absatz escribió:

> These are a couple of production servers, I'll see if I can find a spare 
> machine, set everything up and tell you later today.
> 
> El 3 Aug 2003 a las 21:53, Julian Field escribió:
> 
> > Can you confirm that this is still a problem with the latest MailScanner 
> > please?
> > 
> > I can't immediately see why it would do this.
> > 
> > If this is still a problem, then it's obviously something I need to take a 
> > look at urgently.
> > 
> > At 01:26 02/08/2003, you wrote:
> > >I know, I know... my mailer decide to use base64 no matter I told it
> > >otherwise... well, the log excerpts are at
> > >http://baby.com.ar/MailScanner/mailscanner-log-excerpts
> > >
> > >Thanx.
> > >
> > >El 1 Aug 2003 a las 21:21, Mariano Absatz escribió:
> > >
> > > >
> > > > I'm enclosing a text file with results from everyone of these tests.
> > > >
> > > > For every test I put the relevant log lines from syslog (luckily 
> > > enough, the
> > > > trafic was so low, that every test message passed thru mailscanner as a
> > > > complete batch).
> > > >
> > > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are 
> > > equivalent
> > > > to the mysql log (generated by &AlerceLogging, that is a modified 
> > > version of
> > > > SQLLogging that doesn't do any SQL).
> > > >
> > > > Finally, the relevant MailScanner header lines in the received message.
> > > >
> > >
> > >--
> > >Mariano Absatz
> > >El Baby
> > >----------------------------------------------------------
> > >Always remember you're unique, just like everyone else.
> > 
> > -- 
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> 
> 
> --
> Mariano Absatz
> El Baby
> ----------------------------------------------------------
> The instructions said to use Windows 98 or better,
> so I installed GNU/Linux 2.4.


--
Mariano Absatz
El Baby
----------------------------------------------------------
Lottery: A tax on people who are bad at math.




More information about the MailScanner mailing list