Bagle-Au - Perhaps we should not be so smug?

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Mon Nov 1 07:43:25 GMT 2004 

Julian

I am running MS-4.35.5-1 (BETA) with SA 3.0.1 on one of our 8 mail
gateways. This and the other gateways use both Sophos and McAfee A-V
engines.

When I checked the logs for the Bagle-AU virus this morning I found that
on the 4.35.5-1 system _only_ of the 8 gateways, the logs show
MailScanner + Sophos finding the Bagle-AU virus mutiple times in the
_same_ message; that is it has the same Sendmail queue ID.

It appears that MailSanner is not removing some Bagle-infected messages
from "mqueue.in". Some messages have been (re-)scanned 320+ times since
early this morning.

The problem seems to have started on Saturday although we have been
detecting the virus since at least midday Friday with Sophos. We have
Sophos IDE 386.200411010710 currently in use.

I have restarted MailScanner but that has no effect. Am investigating
further.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 31 October 2004 01:27
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Bagle-AU
>
>John Rudd wrote:
>
>>Julian Field wrote:
>>
>>
>>>Are we allowed to sit around feeling smug?
>>>:o)
>>>
>>>My MailScanners are currently trapping this for 5 separate reasons.
>>>
>>>
>>>
>>
>>Just out of curiosity, what are the different reasons?
>>
>>(we block all zips currently, because I haven't been able to 
>upgrade our
>>MS since before the option to block encrypted zips only came out; I'm
>>sort of hoping that both of these new viruses are blockable 
>via our zip
>>blocking alone)
>>
>>
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list