[URGENT] How to intercept a copy of virus-infected message?

Fri Apr 30 10:36:17 IST 2004

Mike

I quarantine this sort of stuff,

Quarantine Dir = /var/spool/MailScanner/quarantine

Quarantine Infections = yes

           # Do you want to quarantine the original *entire* message as
well as
# just the infected attachments?
# This can also be the filename of a ruleset.
Quarantine Whole Message = yes

# When you quarantine an entire message, do you want to store it as
# raw mail queue files (so you can easily send them onto users) or
# as human-readable files (header then body in 1 file)?
Quarantine Whole Messages As Queue Files = yes

# Where to send the notices.
# This can also be the filename of a ruleset.
Notices To = postmaster at mydomain

in mailscanner.conf

then I zip up the files with passwd protection and send them off to
Sophos support.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

Mike Brudenell wrote:
> Greetings -
>
> I believe our site is being copies of a virus (probably Bagle-X or a
> variant) that Sophos Anti-Virus is not identifying.  At present the
> messages are only being blocked because we have MailScanner configured not
> to allow attachments with filename suffixes such as ".hta" etc.
>
> Sophos (the company!) have asked me to grab a couple of these messages and
> send them in for analysis.
>
> Plese could someone quickly explain how to configure MailScanner (4.29.3)
> to intercept such a message: ideally forwarding it to a specific e-mail
> address or, second choice, to quarantine its Sendmail queue files?
>
> Ideally I guess I'd just like to intercept messages which are being blocked
> because they are failing the filename based checks; I'm not particularly
> interested in getting the ones infected with known viruses because, well,
> Sophos Anti-Virus already knows them!  :-}
>
> With many thanks,
>
> Mike B-)
>
> --
> The Computing Service, University of York, Heslington, York Yo10 5DD, UK
> Tel:+44-1904-433811  FAX:+44-1904-433740
>
> * Unsolicited commercial e-mail is NOT welcome at this e-mail address. *
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at http://www.mailscanner.biz/maq/     and the archives at http://www.jiscmail.ac.uk/lists/mailscanner.html