Why the messages virus are not stopped by MailScanner?
Martin Hepworth
martinh at SOLID-STATE-LOGIC.COM
Fri Oct 15 13:44:06 IST 2004
<x-flowed>
Ricardo
Ok
Mailwatch will only take the information from MS. As to the virus
message it depends on what virus regex it's looking for.
There are some alternatives it needs to look for, check the archives of
the mailwatch-users list.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Ricardo Luis Cañavate wrote:
> I have just finished upgrade MailScanner to 4.38.8, now the message are not
> received this is the log.
>
> Oct 15 13:32:06 servnozar sendmail[23662]: i9FBW5Br023662:
> from=<r_canavate at terra.es>, size=39427, class=0, nrcpts=2,
> msgid=<HGELIJHMDHKAIELLJFMMCEDPDJAA.r_canavate at terra.es>, proto=ESMTP,
> daemon=Daemon0, relay=smtp.terra.es [213.4.129.129]
> Oct 15 13:32:12 servnozar MailScanner[22928]: Expanding TNEF archive at
> /var/spool/MailScanner/incoming/22928/i9FBW5Br023662/winmail.dat
> Oct 15 13:32:14 servnozar MailScanner[22928]:
> /home/spool.mailscanner/incoming/22928/i9FBW5Br023662/winmail.dat/Part-2.zip
> Found the W32/Netsky.z at MM!zip virus !!!
> Oct 15 13:32:14 servnozar MailScanner[22928]:
> /home/spool.mailscanner/incoming/22928/i9FBW5Br023662/Part-2.zip
> Found the W32/Netsky.z at MM!zip virus !!!
> Oct 15 13:32:14 servnozar MailScanner[22928]:
> /home/spool.mailscanner/incoming/22928/i9FBW5Br023662/Part-2.txt .exe
> Found the W32/Netsky.z at MM virus !!!
> Oct 15 13:32:15 servnozar MailScanner[22928]:
> /home/spool.mailscanner/incoming/22928/./i9FBW5Br023662/winmail.dat:
> Worm.SomeFool.Z FOUND
> Oct 15 13:32:15 servnozar MailScanner[22928]:
> /home/spool.mailscanner/incoming/22928/./i9FBW5Br023662/Part-2.zip:
> Worm.SomeFool.Z FOUND
> Oct 15 13:32:15 servnozar MailScanner[22928]:
> /home/spool.mailscanner/incoming/22928/./i9FBW5Br023662/Part-2.txt .exe:
> Worm.SomeFool.Z FOUND
> Oct 15 13:32:16 servnozar MailScanner[22928]: Filename Checks: Windows/DOS
> Executable (i9FBW5Br023662 Part-2.txt
> .exe)
> Oct 15 13:32:16 servnozar MailScanner[22928]: Filetype Checks: No
> executables (i9FBW5Br023662 Part-2.txt
> .exe)
> Oct 15 13:32:16 servnozar MailScanner[22928]: Saved entire message to
> /var/spool/MailScanner/quarantine/20041015/i9FBW5Br023662
> Oct 15 13:32:16 servnozar MailScanner[22928]: Saved infected "Part-2.txt
> .exe" to /var/spool/MailScanner/quarantine/20041015/i9FBW5Br023662
>
>
> It's possible that MailWatch not sign as Virus for the Filetype check?
>
> Thanks
>
> -----Mensaje original-----
> De: Martin Hepworth [mailto:martinh at solid-state-logic.com]
> Enviado el: viernes, 15 de octubre de 2004 11:25
> Para: ricardo.canavate at nozar.es
> Asunto: Re: [MAILSCANNER] Why the messages virus are not stopped by
> MailScanner?
>
>
> Ricardo
>
> OK both your MailScanner and Spamassassin are quite old, I'd suggest you
> uprgade your MailScanner first (what out for having to reinstall the
> MailWatch as well), then the SpamAssassin to 4.34 and 2.64 respectively.
>
> I seem to remember sometime in the last few months changed to MS so as
> to fix issues with virus scanning especially on 'bounced' emails. If I'm
> wrong on this I'm sure I'll be corrected.....:-)
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Ricardo Luis Cañavate wrote:
>
>>I am using McAfee and I think are the last version
>>
>>[root at servnozar root]# uvscan --version --dat
>>/usr/local/uvscan/datfiles/current/
>>Virus Scan for Linux v4.32.0
>>Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights
>>reserved.
>>(408) 988-3832 LICENSED COPY - Nov 27 2003
>>
>>Scan engine v4.3.20 for Linux.
>>Virus data file v4399 created Oct 14 2004
>>Scanning for 103750 viruses, trojans and variants.
>>
>>[root at servnozar root]#
>>
>>And works well
>>
>>[root at servnozar root]# ls
>>eicar.com lista
>>[root at servnozar root]# uvscan / *.* --dat
>>/usr/local/uvscan/datfiles/current/
>>/root/eicar.com
>> Found: EICAR test file NOT a virus.
>>[root at servnozar root]#
>>
>>
>>This is the maillog
>>
>>Oct 15 09:47:37 servnozar sendmail[9419]: i9F7laxR009419:
>>from=<r_canavate at terra.es>, size=49430, class=0, nrcpts=1,
>>msgid=<HGELIJHMDHKAIELLJFMMMEDIDJAA.r_canavate at terra.es>, proto=ESMTP,
>>daemon=Daemon0, relay=smtp.terra.es [213.4.129.129]
>>Oct 15 09:47:48 servnozar MailScanner[9034]: Expanding TNEF archive at
>>/var/spool/MailScanner/incoming/9034/i9F7laxR009419/winmail.dat
>>Oct 15 09:47:49 servnozar MailScanner[9034]:
>>
>
> /home/spool.mailscanner/incoming/9034/i9F7laxR009419/winmail.dat/letter43.zi
>
>>p Found the W32/Netsky.p at MM!zip virus !!!
>>Oct 15 09:47:49 servnozar MailScanner[9034]:
>>/home/spool.mailscanner/incoming/9034/i9F7laxR009419/letter43.zip
>>Found the W32/Netsky.p at MM!zip virus !!!
>>Oct 15 09:47:50 servnozar sendmail[9447]: i9F7laxR009419:
>>to=<informatica at nozar.es>, delay=00:00:13, xdelay=00:00:00, mailer=local,
>>pri=120811, dsn=2.0.0, stat=Sent
>>
>>MailScanner version are ...
>>
>>Oct 15 09:43:04 servnozar MailScanner[9034]: MailScanner E-Mail Virus
>>Scanner version 4.25-14 starting...
>>Oct 15 09:43:05 servnozar MailScanner[9034]: Config: calling custom init
>>function MailWatchLogging
>>Oct 15 09:43:05 servnozar MailScanner[9034]: Initialising database
>>connection
>>Oct 15 09:43:06 servnozar MailScanner[9034]: Finished initialising
>
> database
>
>>connection
>>
>>With SpamAssasin 2.60 and i use too, DCC, razor y pyzor.
>>
>>Linux OS are RedHat 9.0
>>
>>I rememeber the last change was update clamav to 0.80 but was two days
>
> ago,
>
>>because sometimes I use both.
>>Before, I do some change in mcafee-wrapper, some about the problem with
>>libc.6 or something similar, but with this change the autoupdate don't
>
> work
>
>>and I return to the first configuration also with mcafee-autoupdate to
>>delete old dats files.
>>
>>-----Mensaje original-----
>>De: Martin Hepworth [mailto:martinh at solid-state-logic.com]
>>Enviado el: viernes, 15 de octubre de 2004 10:40
>>Para: ricardo.canavate at nozar.es
>>Asunto: Re: [MAILSCANNER] Why the messages virus are not stopped by
>>MailScanner?
>>
>>
>>Hi
>>
>>we need more information
>>
>>what virus scanner, and what version?
>>Is the scanner still working - try it from the command line.
>>Are the virus definitions upto date?
>>
>>Does the message in the maillog relate to the actual message the user
>>says has a virus in it, and what scanner are they using?
>>
>>What version of MailScanner?
>>
>>What operating system is the MailScanner system running on.
>>
>>
>>--
>>Martin Hepworth
>>Snr Systems Administrator
>>Solid State Logic
>>Tel: +44 (0)1865 842300
>>
>>
>>Ricardo Luis Cañavate wrote:
>>
>>
>>>Hi friends!!
>>>
>>>Since one month more or less i does not scan virusses in messages. Some
>>>users tell me that they are receiving virus and i do not believe them.
>>>
>>>Looking for scanning messages in the maillog i see this:
>>>
>>>
>>>THE MESSAGE ARE SCAN AND THE VIRUS FOUND IT!!.
>>>
>>>But then I receive the message and the messages are signing as clean in
>>>MailWatch .
>>>
>>>In this last month i do not remember what i have installed.
>>>
>>>Thanks in advanced.
>>>
>>>
>>>Ricardo Luis Cañavate García
>>>Dpto. Informática
>>>NOZAR Grupo Inmobiliario
>>>Tel: 91 758 96 30 | Fax: 91 559 85 82
>>>www.nozar.es
>>>
>>>
>>>=========================================================================
>>>Usted recibe este mensaje porque su dirección e-mail se encuentra en
>>>nuestra base de datos al haber tenido contactos anteriores con nosotros,
>>>por lo que entendemos que contamos con su autorización para enviarle
>>>información profesional. No obstante, si no desea seguir recibiéndola
>>>basta con hacérnoslo saber.
>>>Este mensaje se dirige exclusivamente a su destinatario y puede contener
>>>información privilegiada o confidencial. Si no es vd. el destinatario
>>>indicado, queda notificado de que la utilización, divulgación y/o copia
>>>sin autorización está prohibida en virtud de la legislación vigente.
>>>Si ha recibido este mensaje por error, le rogamos que nos lo comunique
>>>inmediatamente por esta misma vía y proceda a su destrucción.
>>>
>>>
>>>You are receiving this message because your e-mail address is listed in
>>>our database due to previous communications with us,
>>>so we have assumed that we have your permission to send you professional
>>>information. However, if you do not wish to continue to receive such
>>>information then please let us know.
>>>This message is intended exclusively for its addressee and may contain
>>>information that is CONFIDENTIAL and protected by professional privilege.
>>>If you are not the intended recipient you are hereby notified that any
>>>dissemination, copy or disclosure of this communication is strictly
>>>prohibited by law. If this message has been received in error, please
>>>immediately notify us via e-mail and delete it.
>>>=======================================================================
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>
>>**********************************************************************
>>
>>This email and any files transmitted with it are confidential and
>>intended solely for the use of the individual or entity to whom they
>>are addressed. If you have received this email in error please notify
>>the system manager.
>>
>>This footnote confirms that this email message has been swept
>>for the presence of computer viruses and is believed to be clean.
>>
>>**********************************************************************
>>
>>
>>=========================================================================
>>Usted recibe este mensaje porque su dirección e-mail se encuentra en
>>nuestra base de datos al haber tenido contactos anteriores con nosotros,
>>por lo que entendemos que contamos con su autorización para enviarle
>>información profesional. No obstante, si no desea seguir recibiéndola
>>basta con hacérnoslo saber.
>>Este mensaje se dirige exclusivamente a su destinatario y puede contener
>>información privilegiada o confidencial. Si no es vd. el destinatario
>>indicado, queda notificado de que la utilización, divulgación y/o copia
>>sin autorización está prohibida en virtud de la legislación vigente.
>>Si ha recibido este mensaje por error, le rogamos que nos lo comunique
>>inmediatamente por esta misma vía y proceda a su destrucción.
>>
>>
>>You are receiving this message because your e-mail address is listed in
>>our database due to previous communications with us,
>>so we have assumed that we have your permission to send you professional
>>information. However, if you do not wish to continue to receive such
>>information then please let us know.
>>This message is intended exclusively for its addressee and may contain
>>information that is CONFIDENTIAL and protected by professional privilege.
>>If you are not the intended recipient you are hereby notified that any
>>dissemination, copy or disclosure of this communication is strictly
>>prohibited by law. If this message has been received in error, please
>>immediately notify us via e-mail and delete it.
>>=======================================================================
>>
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
>
> =========================================================================
> Usted recibe este mensaje porque su dirección e-mail se encuentra en
> nuestra base de datos al haber tenido contactos anteriores con nosotros,
> por lo que entendemos que contamos con su autorización para enviarle
> información profesional. No obstante, si no desea seguir recibiéndola
> basta con hacérnoslo saber.
> Este mensaje se dirige exclusivamente a su destinatario y puede contener
> información privilegiada o confidencial. Si no es vd. el destinatario
> indicado, queda notificado de que la utilización, divulgación y/o copia
> sin autorización está prohibida en virtud de la legislación vigente.
> Si ha recibido este mensaje por error, le rogamos que nos lo comunique
> inmediatamente por esta misma vía y proceda a su destrucción.
>
>
> You are receiving this message because your e-mail address is listed in
> our database due to previous communications with us,
> so we have assumed that we have your permission to send you professional
> information. However, if you do not wish to continue to receive such
> information then please let us know.
> This message is intended exclusively for its addressee and may contain
> information that is CONFIDENTIAL and protected by professional privilege.
> If you are not the intended recipient you are hereby notified that any
> dissemination, copy or disclosure of this communication is strictly
> prohibited by law. If this message has been received in error, please
> immediately notify us via e-mail and delete it.
> =======================================================================
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>
More information about the MailScanner
mailing list