Outstanding mail archiving bug

Raymond Dijkxhoorn raymond at PROLOCATION.NET
Tue Jan 13 23:42:42 GMT 2004 

Hi!

> >I mailed a detailed report around the time you were in .nl, but i guess
> >thats lost ? :))
>
> I can't find it, have hunted all over the place for it. Have you still got
> a copy of it or can you describe it again please?

Found one in my quarantine dir ... =)

This should contain the bad message, but its holding the error template... :

[root at vmx01 1Ag3gn-0004KM-5u]# ls -al
total 12
drwx------    2 exim     exim         4096 Jan 12 16:09 .
drwx------   67 exim     exim         4096 Jan 12 23:58 ..
-rw-------    1 exim     exim         1065 Jan 12 16:09 msg-15123-14.html
[root at vmx01 1Ag3gn-0004KM-5u]# more msg-15123-14.html

Warning: This message has had one or more attachments removed
Warning: (the entire message).
Warning: Please read the "VirusWarning.txt" attachment(s) for more
information.

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail message contained potentially dangerous content,
which has been removed for your safety.

The content is dangerous as it is often used to spread viruses or to gain
personal or confidential information from you, such as passwords or credit
card numbers.

If you wish to receive a copy of the original email, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Mon Jan 12 16:09:16 2004 the content filters said:
   MailScanner: Found dangerous Object Codebase tag in HTML message

Note to Help Desk: Look on MailScanner in
/var/spool/MailScanner/quarantine/20040112 (message 1Ag3gn-0004KM-5u).
--
Postmaster

I also looked up in my logs what happened with this one:

[root at fallback vmx01]# grep 1Ag3gn-0004KM-5u maillog-20040112
Jan 12 16:09:13 vmx01 exim[16638]: 2004-01-12 16:09:13 1Ag3gn-0004KM-5u <=
ciccio at allgratis.zzn.com H=ns3.prolocation.net (toverdoos.prolocation.net)
[194.171.240.23] P=esmtp S=3511
id=200401121509.i0CF95026049 at toverdoos.prolocation.net
Jan 12 16:09:15 vmx01 MailScanner[15123]: Message 1Ag3gn-0004KM-5u from
194.171.240.23 (ciccio at allgratis.zzn.com) to n-vision.nl is spam,
SpamAssassin (score=9.625, required 5, BAYES_50 0.00, DATE_IN_PAST_12_24
0.75, FORGED_MUA_OUTLOOK 2.57, HTML_70_80 0.10, HTML_FONT_INVISIBLE 0.60,
HTML_MESSAGE 0.10, HTML_TITLE_UNTITLED 0.43, MAILTO_SUBJ_REMOVE 0.89,
MIME_HTML_ONLY 0.32, RAZOR2_CF_RANGE_11_50 0.88, RAZOR2_CHECK 1.05,
REMOVE_REMOVAL_2WORD 1.95)
Jan 12 16:09:15 vmx01 MailScanner[15123]: Spam Actions: message
1Ag3gn-0004KM-5u actions are deliver
Jan 12 16:09:16 vmx01 MailScanner[15123]: Content Checks: Detected
HTML-specific exploits in 1Ag3gn-0004KM-5u
Jan 12 16:09:16 vmx01 MailScanner[15123]: Saved infected
"msg-15123-14.html" to
/var/spool/MailScanner/quarantine/20040112/1Ag3gn-0004KM-5u
Jan 12 16:09:17 vmx01 exim[16671]: 2004-01-12 16:09:17 1Ag3gn-0004KM-5u =>
a3 at n-vision.nl R=mailertable_router T=remote_smtp
H=cleanfeed.prolocation.net [81.23.230.7]
Jan 12 16:09:17 vmx01 exim[16671]: 2004-01-12 16:09:17 1Ag3gn-0004KM-5u
Completed

Hope this helps, can lookup some more if needed, but i guess they all look
about the same.

Bye,
Raymond.

More information about the MailScanner mailing list