Multi-Volume Archive Cannot be Scanned

System Admins sysadmins at ENHTECH.COM
Wed Apr 14 22:07:02 IST 2004 

Hi,

Dont know if this has been discussed before. If it has, I sincerely apologize.

I just got a postmaster message with an infected zip file attached. Here is
the message:

//Message Begin

From: MAILER-DAEMON at amcity.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: info at lgww.com

This is the Postfix program at host relay.amcity.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

                        The Postfix program

<cnelligan at bizjournals.com>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
     content rejected, id=11181-02-7 - VIRUS: Worm.SomeFool.P (in reply to end
     of DATA command)
Reporting-MTA: dns; relay.amcity.com
Arrival-Date: Wed, 14 Apr 2004 16:45:56 -0400 (EDT)

Final-Recipient: rfc822; cnelligan at bizjournals.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
     content rejected, id=11181-02-7 - VIRUS: Worm.SomeFool.P (in reply to end
     of DATA command)
Received: from bizjournals.com (uslec-66-255-185-234.cust.uslec.net
[66.255.185.234])
        by relay.amcity.com (Postfix) with SMTP id F382335F84
        for <boston at bizjournals.com>; Wed, 14 Apr 2004 16:45:56 -0400 (EDT)
From: info at lgww.com
To: boston at bizjournals.com
Subject: Re: Extended Mail
Date: Wed, 14 Apr 2004 17:06:30 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040414204556.F382335F84 at relay.amcity.com>


Bad Gateway: The message has been attached.

//Message End


When I pulled it off the pop3 server, Norton got it.So i was curious as to
why the protection we have in place did not catch it.
Here is the log output:


[root at mailscanner log]# cat maillog | grep relay2.amcity.com
Apr 14 16:46:08 mailscanner sendmail[21860]: i3EKk7qM021860: from=<>,
size=31338, class=0, nrcpts=1,
msgid=<20040414204603.18F8836122 at relay.amcity.com>, proto=ESMTP,
daemon=MTA, relay=relay2.amcity.com [65.213.145.12]
[root at mailscanner log]# cat maillog | grep i3EKk7qM021860
Apr 14 16:46:07 mailscanner sendmail[21860]: i3EKk7qM021860: Milter
(milter-sender): local socket name /var/lib/milter-sender/socket unsafe
Apr 14 16:46:07 mailscanner sendmail[21860]: i3EKk7qM021860: Milter
(milter-sender): to error state
Apr 14 16:46:08 mailscanner sendmail[21860]: i3EKk7qM021860: from=<>,
size=31338, class=0, nrcpts=1,
msgid=<20040414204603.18F8836122 at relay.amcity.com>, proto=ESMTP,
daemon=MTA, relay=relay2.amcity.com [65.213.145.12]
Apr 14 16:46:08 mailscanner sendmail[21860]: i3EKk7qM021860:
to=<info at lgww.com>, delay=00:00:01, mailer=esmtp, pri=61338, stat=queued
Apr 14 16:46:15 mailscanner MailScanner[12216]: ERROR:: The file passed for
scanning represented part of a multi volume archive - the file cannot be
scanned (549):: ./i3EKk7qM021860/readme_boston.zip

Is this a Sophos problem or MailScanner problem? Secondly, how do I prevent
this stuff from happening again?



Best Regards,


Errol Neal

More information about the MailScanner mailing list