Multi-Volume Archive Cannot be Scanned

Wed Apr 14 22:13:51 IST 2004

At 22:07 14/04/2004, you wrote:
>Hi,
>
>Dont know if this has been discussed before. If it has, I sincerely apologize.
>
>I just got a postmaster message with an infected zip file attached. Here is
>the message:
>
>//Message Begin
>
>From: MAILER-DAEMON at amcity.com (Mail Delivery System)
>Subject: Undelivered Mail Returned to Sender
>To: info at lgww.com
>
>This is the Postfix program at host relay.amcity.com.
>
>I'm sorry to have to inform you that the message returned
>below could not be delivered to one or more destinations.
>
>For further assistance, please send mail to <postmaster>
>
>If you do so, please include this problem report. You can
>delete your own text from the message returned below.
>
>                        The Postfix program
>
><cnelligan at bizjournals.com>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
>     content rejected, id=11181-02-7 - VIRUS: Worm.SomeFool.P (in reply to end
>     of DATA command)
>Reporting-MTA: dns; relay.amcity.com
>Arrival-Date: Wed, 14 Apr 2004 16:45:56 -0400 (EDT)
>
>Final-Recipient: rfc822; cnelligan at bizjournals.com
>Action: failed
>Status: 5.0.0
>Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
>     content rejected, id=11181-02-7 - VIRUS: Worm.SomeFool.P (in reply to end
>     of DATA command)
>Received: from bizjournals.com (uslec-66-255-185-234.cust.uslec.net
>[66.255.185.234])
>        by relay.amcity.com (Postfix) with SMTP id F382335F84
>        for <boston at bizjournals.com>; Wed, 14 Apr 2004 16:45:56 -0400 (EDT)
>From: info at lgww.com
>To: boston at bizjournals.com
>Subject: Re: Extended Mail
>Date: Wed, 14 Apr 2004 17:06:30 -0400
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>        boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
>X-Priority: 3
>X-MSMail-Priority: Normal
>Message-Id: <20040414204556.F382335F84 at relay.amcity.com>
>
>
>Bad Gateway: The message has been attached.
>
>//Message End
>
>
>When I pulled it off the pop3 server, Norton got it.So i was curious as to
>why the protection we have in place did not catch it.
>Here is the log output:
>
>
>[root at mailscanner log]# cat maillog | grep relay2.amcity.com
>Apr 14 16:46:08 mailscanner sendmail[21860]: i3EKk7qM021860: from=<>,
>size=31338, class=0, nrcpts=1,
>msgid=<20040414204603.18F8836122 at relay.amcity.com>, proto=ESMTP,
>daemon=MTA, relay=relay2.amcity.com [65.213.145.12]
>[root at mailscanner log]# cat maillog | grep i3EKk7qM021860
>Apr 14 16:46:07 mailscanner sendmail[21860]: i3EKk7qM021860: Milter
>(milter-sender): local socket name /var/lib/milter-sender/socket unsafe
>Apr 14 16:46:07 mailscanner sendmail[21860]: i3EKk7qM021860: Milter
>(milter-sender): to error state
>Apr 14 16:46:08 mailscanner sendmail[21860]: i3EKk7qM021860: from=<>,
>size=31338, class=0, nrcpts=1,
>msgid=<20040414204603.18F8836122 at relay.amcity.com>, proto=ESMTP,
>daemon=MTA, relay=relay2.amcity.com [65.213.145.12]
>Apr 14 16:46:08 mailscanner sendmail[21860]: i3EKk7qM021860:
>to=<info at lgww.com>, delay=00:00:01, mailer=esmtp, pri=61338, stat=queued
>Apr 14 16:46:15 mailscanner MailScanner[12216]: ERROR:: The file passed for
>scanning represented part of a multi volume archive - the file cannot be
>scanned (549):: ./i3EKk7qM021860/readme_boston.zip
>
>Is this a Sophos problem or MailScanner problem?

Sophos. It's an error generated by Sophos.

>  Secondly, how do I prevent
>this stuff from happening again?

Difficult one, that. What does ClamAV make of the original message? Sophos
has just refused to scan it.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654