tons of infected files getting though??? and clamscan logging

Chris Yuzik chris at FRACTALWEB.COM
Wed Jan 28 06:04:34 GMT 2004 

Hi all,

Ok, now I'm getting somewhere. (and yes, I do talk to myself in the real
world too ;-)

I found a message that was marked as spam but not marked as infected
with "worm.sco.a", although it clearly was. Using MailWatch, I released
the message to myself. Evidently, when messages are released by
MailWatch, it goes right past the virus scanners and in to my inbox. My
windows antivirus program picked it up and notified me when I retrieved
my email. So, the email is definitely infected--no question about that.

Next, I set up a new email address for testing, and released the message
to that account. From the squirrelmail interface, I could see the
message and the attachment, and I forwarded that message to the same
address. When the message arrived, it was correctly tagged as infected.
So why wasn't it originally tagged as infected in the first place? Not sure.

Next, I logged in to my mail server as root, found the message an
manually told clamav to scan it. It scans as "OK". Hmmmm. Something is
up here, and I'm not sure what. I suspect there is something wrong or
unique about the mime parts of the message...but I don't read mime very
well--heck, I find mimes annoying, but I digress.

There must be something different about the messages that clam scans as
"OK" vs. the ones that it scans as "FOUND Worm.SCO.A" when they're both
clearly infected. Here's the message that scans clean, with the encoded
attachment snipped out. Anyone see anything wrong with this?

Cheers,
Chris

> X-ClientAddr: 24.???.???.???
> Return-Path: <~Ag>
> Received: from bondage.com (h???-???-???-???.vf.shawcable.net
> [24.???.???.???])
>         by ns1.fractalweb.com (8.11.6/8.11.6) with ESMTP id i0S3vVV20355
>         for <user at domain.com>; Tue, 27 Jan 2004 19:57:32 -0800
> Message-Id: <200401280357.i0S3vVV20355 at ns1.fractalweb.com>
> From: forgeduser at sendingdomain.com
> To: user at domain.com
> Subject: Error
> Date: Tue, 27 Jan 2004 19:57:32 -0800
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>         boundary="----=_NextPart_000_0005_09C60BCC.30FFADF6"
> X-Priority: 3
> X-MSMail-Priority: Normal
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0005_09C60BCC.30FFADF6
> Content-Type: text/plain;
>         charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
>
> The message cannot be represented in 7-bit ASCII encoding and has been
> sent as a binary attachment.
>
>
> ------=_NextPart_000_0005_09C60BCC.30FFADF6
> Content-Type: application/octet-stream;
>         name="xnztj.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
>         filename="xnztj.zip"
>
> <<<actual mime encoded virus snipped>>>
>
> ------=_NextPart_000_0005_09C60BCC.30FFADF6--

More information about the MailScanner mailing list