virus detected but still delivered

Julian Field mailscanner at ecs.soton.ac.uk
Fri Feb 6 07:23:46 GMT 2004 

What do you have set as your incoming working dir (what was
/var/spool/MailScanner/incoming)?
You need to have the real absolute path to it in your MailScanner.conf, i.e.
/datavol15/incoming

At 22:43 05/02/2004, you wrote:
>Hello,
>
>MailScanner-4.25-14
>Mail-SpamAssassin-2.63
>Solaris 9
>McAfee engine 4.3.20 and DAT 4322
>
>         McAfee stopped running some time ago for me. My file extension rules
>were keeping out so many viruses I never realized it stopped until
>today. I got it running again but still have a problem. Below is a log
>snippet that shows the virus in this batch of three messages being
>detected but still delivered. What confinguration setting did I screw
>up?
>
>
>Feb  5 17:27:38 mailhost MailScanner[9732]: New Batch: Found 408
>messages waiting
>Feb  5 17:27:38 mailhost MailScanner[9732]: New Batch: Scanning 3
>messages, 49642 bytes
>Feb  5 17:27:38 mailhost MailScanner[9732]: Spam Checks: Starting
>Feb  5 17:27:38 mailhost MailScanner[9732]: RBL checks: i15MGrbt004289
>found in spamhaus.org
>Feb  5 17:27:40 mailhost MailScanner[9732]: Message i15MGrbt004289 from
>64.253.207.198 (6-5567031-sju.edu?jh127389 at stderr.emarketmachine2.com)
>to sju.edu is spam, spamhaus.org, SpamAssassin (score=6.7, required 6,
>BAYES_80 2.86, BigEvilList_159 3.00, CLICK_BELOW 0.00, HTML_50_60 0.10,
>HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_FACE_ODD 0.32, HTML_IMAGE_RATIO_06
>0.23, HTML_WEB_BUGS 0.10)
>Feb  5 17:27:41 mailhost MailScanner[9732]: RBL checks: i15MEDbd001213
>found in spamhaus.org
>Feb  5 17:27:43 mailhost MailScanner[9732]: Message i15MEDbd001213 from
>69.56.42.89 (bounce-rllrwsssgvrewz at jaadvjjjc.planetaryorbitz.com) to
>sju.edu is spam, spamhaus.org, SpamAssassin (score=8, required 6,
>BANG_MONEY 1.72, BAYES_60 1.10, BigEvilList_49 3.00, CLICK_BELOW_CAPS
>0.50, HTML_60_70 0.10, HTML_FONT_BIG 0.22, HTML_FONT_COLOR_BLUE 0.10,
>HTML_FONT_COLOR_GRAY 0.10, HTML_FONT_COLOR_RED 0.10,
>HTML_FONT_COLOR_UNSAFE 0.10, HTML_IMAGE_RATIO_06 0.23,
>HTML_LINK_CLICK_HERE 0.10, MAILTO_TO_SPAM_ADDR 0.68)
>Feb  5 17:27:43 mailhost MailScanner[9732]: Spam Checks: Found 2 spam
>messages
>Feb  5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message
>i15MGrbt004289 actions are striphtml,deliver
>Feb  5 17:27:43 mailhost MailScanner[9732]: Spam Actions: message
>i15MEDbd001213 actions are striphtml,deliver
>Feb  5 17:27:44 mailhost MailScanner[9732]: Virus and Content Scanning:
>Starting
>Feb  5 17:27:46 mailhost MailScanner[9732]:
>/datavol15/incoming/9732/i15MM5bV010213/readme.zip2        Found the
>W32/Mydoom.a at MM virus !!!
>Feb  5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: McAfee found
>1 infections
>Feb  5 17:27:46 mailhost MailScanner[9732]: Infected message datavol15
>came from
>Feb  5 17:27:46 mailhost MailScanner[9732]: Virus Scanning: Found 1
>viruses
>Feb  5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and
>will convert HTML message to plain text in i15MGrbt004289
>Feb  5 17:27:46 mailhost MailScanner[9732]: Content Checks: Detected and
>will convert HTML message to plain text in i15MEDbd001213
>Feb  5 17:27:46 mailhost MailScanner[9732]: Uninfected: Delivered 3
>messages
>
>Regards,
>Steve
>--
>Stephen J. Lee                  Saint Joseph's University
>Senior Systems Administrator    5600 City Avenue
>Networking & Telecommunications Philadelphia, PA 19131-1395
>E-mail: lee at sju.edu             Voice: (610) 660-1679
>                                 Fax: (610) 660-1573

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list