Why mailscanner fails recognizing a forwarded infected.

Mirko Bovati bovati at MONDADORI.COM
Tue Sep 7 08:55:19 IST 2004 

On Tuesday 07 September 2004 09:14, you wrote:
> On Tue, 7 Sep 2004, Mirko Bovati wrote:
> > On Monday 06 September 2004 17:46, you wrote:
> >> At 12:39 06/09/2004, you wrote:
> >>> I will send the sendmail' s pair to Nai and wait for news.
> >>> have you got any other hints?
> >>
> >> Have you checked that the path to /var/spool/MailScanner/incoming
> >> contains no symlinks at all? The fact that your qf and df files you are
> >> checking
> >
> > Yes, I checked. No symlinks at all. I moved qf and df only for
> > convenience. This is the only case I found. All other infected email I
> > try to forward MailScanner finds a virus. I think if it's a symlinks
> > problem MailScanner fails with all forward. Is not it?
>
> No, when I had symlinks on my box *some* (old) virii managed to slip by
> while others were detected properly, even in the same batch. I guess you
> could say symlinks can cause unexpected/random behaviour of mcafee.

I didn't suspect a random behavior like that.

>
> These kind of problems are hard to sort out especially because you cannot
> trace if there are any symlinks in places where you would not expect them.

I'm absolutly sure I didn't make any symlink by hand at all. I only installed
MailScanner by its own installer. Does this prove that there aren't symlinks?


>
> I assume you are using the latest version of mcafee?
Yes the v4.3.20.

>
> Why not install clamav 'on the side', it's free and imho a lot better than
> mcafee which is always slow with their updates?

Yes I will try it.
"on the side" you mean double scan a mail with clamav and uvscan on the
same Mailscanner box?

thanks,
Mirko

>
> > In this hours I tested the same situation on a fedora core 1
> > mailscanner-4.32.5-1
> > uvscan 4.3.20
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list