Let MailScanner report the significant/all things

Kai Wang kwang at UCALGARY.CA
Wed Aug 11 23:36:14 IST 2004 

<x-flowed>
Hi,

We received many requests to un-quarantine the price.exe files recently.
The reason is that the messages attache one zip file with two files in.
One file(price.html) is infected and the other one (price.exe) matches
the file name extention rule. MailScanner only tells the recipient that
the exe file is dangerous and dos not show anything about the infected
one.  Is it possible for MailScanner to report all infections it found
or at least the most significant one?

Here is an example:

The infection report user received shows:
At Mon Aug 9 13:56:37 2004 the virus scanner reported:
          MailScanner: Executable DOS/Windows programs are dangerous in
email (price.exe)

The syslog shows:
Aug  9 13:56:27 mhub3 MailScanner[12094]: Saved archive copies of i79JuNr00332 i79JuLr32737 i79JuNr00327 i79JuLr32650
Aug  9 13:56:37 mhub3 MailScanner[12094]: /i79JuNr00327/price2.zip/PRICE.HTML/0000007b.js        Found the JS/IllWill trojan !!!
Aug  9 13:56:37 mhub3 MailScanner[12094]: /i79JuNr00327/price.html/0000007b.js        Found the JS/IllWill trojan !!!
Aug  9 13:56:37 mhub3 MailScanner[12094]: Infected message i79JuNr00327 came from 66.134.82.43
Aug  9 13:56:37 mhub3 MailScanner[12094]: Filename Checks: ZIP File (i79JuNr00327 price2.zip)
Aug  9 13:56:37 mhub3 MailScanner[12094]: Filename Checks: Windows/DOS Executable (i79JuNr00327 price/price.exe)
Aug  9 13:56:37 mhub3 MailScanner[12094]: Saved infected "price.exe" to /var/spool/MailScanner/quarantine/20040809/i79JuNr00327
Aug  9 13:56:37 mhub3 MailScanner[12094]: Saved infected "price.html" to /var/spool/MailScanner/quarantine/20040809/i79JuNr00327
Aug  9 13:56:37 mhub3 MailScanner[12094]: Saved infected "price2.zip" to /var/spool/MailScanner/quarantine/20040809/i79JuNr00327



Kai Wang
University of Calgary

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list