4.23-11: major bug: virus warning text itself appears in quarantine

Andy Sutton sutton at PESSIMISTS.NET
Tue Sep 30 01:18:20 IST 2003


On Sun, 2003-09-28 at 13:25, Peter Bonivart wrote:
> Since I don't catch them, or rather quarantine them, I guess I have to
> generate such a message myself. I try that tomorrow when I'm back at work.
>

I just upgraded Mailscanner to the latest rev 4.23-11 over the weekend
and started seeing this issue.  Could it be related to the following?

http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0309&L=mailscanner&P=R48619&I=3

Found this issue with a Staples e-flyer - those bad Staples people.  It
makes sense if the message was tagged as a bad filename it would strip
the file that is attached.  In this case it is the warning message.
I've applied the patch mentioned in the archived message above, so I'll
know if this keeps persisting.  Perhaps I'm off base - I'm just guessing
here.  I've changed my "Quarantine Whole Message" to yes to see if I can
catch the HTML that is causing this.

Relavent config:
Quarantine Infections = yes
Quarantine Whole Message = no
Quarantine Whole Messages As Queue Files = yes

Allow IFrame Tags = yes
Log IFrame Tags = no
Allow Form Tags = no
Allow Object Codebase Tags = yes
Convert Dangerous HTML To Text = yes

Mail log:
Sep 29 18:44:31 weebles MailScanner[23394]: New Batch: Scanning 1
messages, 11032 bytes
Sep 29 18:44:33 weebles MailScanner[23394]: Virus and Content Scanning:
Starting
Sep 29 18:44:33 weebles MailScanner[23394]: Content Checks: Detected
HTML-specific exploits in 2120534F088
Sep 29 18:44:33 weebles MailScanner[23394]: Content Checks: Found 1
problems
Sep 29 18:44:33 weebles MailScanner[23394]: Saved infected
"msg-23394-11.html" to /foo/MailScanner/quarantine/20030929/2120534F088

Subject of staples e-mail (sorry, only have the warning in the
quarantine, not the actual html message)

Subject: {Filename} Shop Staples - now waaaaay easier.


Andy

"I figure if I survive this thing... I can just about do anything I
want.  If I don't survive, I don't have to pay taxes anymore.  So it's a
win-win situation."  Brian Walker, Project RUSH - X Prize Competitor



More information about the MailScanner mailing list