tons of infected files getting though???

Jon Fraley jfraley at glenraven.com
Tue Jan 27 21:17:18 GMT 2004 

I am seeing something similar.  We run MailScanner 4.25-14, McAfee
v4.2.40 and clamAV 0.65.  It looks like clamAV does not identify all the
of the Worm.SCO.A as mcafee identifies W32/Mydoom at MM.  These are my
statistics for today:

  W32/Dumaru.a at MM    2
  W32/Klez.h at MM    2
  W32/Mimail.a at MM    1
  W32/Mimail.j at MM    1
  W32/Mydoom at MM    765
  Worm.Dumaru.A    2
  Worm/Klez.H    2
  Worm.Mimail.J    1
  Worm.SCO.A    748

I have verified in my log that this is happening.

Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510: from=<>,
size=32981, class=0, nrcpts=1,
msgid=<200401272047.i0RKlus5017510 at crusher.glenraven.com>, proto=SMTP,
daemon=MTA, relay=eagle.glenraven.com [198.85.139.28]
Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510:
to=<linda at glenraven.com>, delay=00:00:01, mailer=relay, pri=30802,
stat=queued
Jan 27 15:48:16 crusher MailScanner[2543]: Virus and Content Scanning:
Starting
Jan 27 15:48:17 crusher MailScanner[2531]: New Batch: Found 2 messages
waiting
Jan 27 15:48:19 crusher MailScanner[2531]: New Batch: Scanning 1
messages, 32040 bytes
Jan 27 15:48:19 crusher MailScanner[2531]: Spam Checks: Starting
Jan 27 15:48:19 crusher MailScanner[2543]:
/i0RKlus5017510/msg-2543-87.txt/document.zip/DOCUMENT.SCR        Found
the W32/Mydoom at MM virus !!!
Jan 27 15:48:19 crusher MailScanner[2543]: Virus Scanning: McAfee found
1 infections
Jan 27 15:48:20 crusher MailScanner[2543]: Infected message
i0RKlus5017510 came from 198.85.139.28
Jan 27 15:48:20 crusher MailScanner[2543]: Saved entire message to
/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
Jan 27 15:48:20 crusher MailScanner[2543]: Saved infected
"msg-2543-87.txt" to
/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510


On Tue, 2004-01-27 at 15:47, Julian Field wrote:
> At 20:47 27/01/2004, you wrote:
> >Mike Kercher wrote:
> >
> >>How many emails are you pushing per day?  I wonder if it's a load issue.
> >>Have you tried the clamavmodule?
> >>
> >Hi Mike,
> >
> >That's a great question. I generally have about 3k messages go through
> >the server per day. The server load over the past couple of days
> >generally hovers around the 0.55 mark, so I don't think it's a load
> >issue. Not certain though...what do you think?
>
> I don't see any way in which the load could affect it. High load doesn't
> alter the execution of MailScanner.
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list