Bagle-Au - Perhaps we should not be so smug?

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Mon Nov 1 08:17:59 GMT 2004 

Julian

Re. my earlier message, when running MS in debug mode I see the
following message:

"syslog: expected both priority and mask at
/usr/lib/MailScanner/MailScanner/Log.pm line 140". 

I also note that at least one of the Sendmail queue IDs that repeatedly
appears in the logs no longer corresponds to a qf/df pair in
"mqueue.in".

We do roll the logs each morning but this problem has persisted over a
number of days and a number of MS restarts. The OS is RH AS3.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Quentin Campbell
>Sent: 01 November 2004 07:43
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Bagle-Au - Perhaps we should not be so smug?
>
>Julian
>
>I am running MS-4.35.5-1 (BETA) with SA 3.0.1 on one of our 8 mail
>gateways. This and the other gateways use both Sophos and McAfee A-V
>engines.
>
>When I checked the logs for the Bagle-AU virus this morning I 
>found that
>on the 4.35.5-1 system _only_ of the 8 gateways, the logs show
>MailScanner + Sophos finding the Bagle-AU virus mutiple times in the
>_same_ message; that is it has the same Sendmail queue ID.
>
>It appears that MailSanner is not removing some Bagle-infected messages
>from "mqueue.in". Some messages have been (re-)scanned 320+ times since
>early this morning.
>
>The problem seems to have started on Saturday although we have been
>detecting the virus since at least midday Friday with Sophos. We have
>Sophos IDE 386.200411010710 currently in use.
>
>I have restarted MailScanner but that has no effect. Am investigating
>further.
>
>Quentin
>---
>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                           University of Newcastle,
>                           Newcastle upon Tyne,
>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>---------------------------------------------------------------
>---------
>"Any opinion expressed above is mine. The University can get 
>its own."  
>
>>-----Original Message-----
>>From: MailScanner mailing list 
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>Sent: 31 October 2004 01:27
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Bagle-AU
>>
>>John Rudd wrote:
>>
>>>Julian Field wrote:
>>>
>>>
>>>>Are we allowed to sit around feeling smug?
>>>>:o)
>>>>
>>>>My MailScanners are currently trapping this for 5 separate reasons.
>>>>
>>>>
>>>>
>>>
>>>Just out of curiosity, what are the different reasons?
>>>
>>>(we block all zips currently, because I haven't been able to 
>>upgrade our
>>>MS since before the option to block encrypted zips only came out; I'm
>>>sort of hoping that both of these new viruses are blockable 
>>via our zip
>>>blocking alone)
>>>
>>>
>>
>>--
>>Julian Field
>>www.MailScanner.info
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>Buy the MailScanner book at www.MailScanner.info/store
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list