worm emails marked as possible spam

DAve dave.list at PIXELHAMMER.COM
Thu Dec 1 19:47:30 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Jeff A. Earickson wrote:
> I don't subscribe to the Clam list so I don't know.  But the issue
> of Clam 0.87.1 not catching Sober.U on some types of operating
> systems (Solaris 9 in my case) seems to be a reoccurring topic
> on the MS list of late.  Clam 0.87.1 seems to work fine on some
> versions of UNIX (eg, Linux) but not others (Solaris, maybe BSD).
> The CVS code has fixed this, at least for me.

FreeBSD 5.3.1 and 5.4, the port version of ClamAV works correctly. 
Checking one of our AV Gateways,

clamscan -ri -v /local/spool/MailScanner/quarantine/20051201/
<SNIP>
/local/spool/MailScanner/quarantine/20051201/jB1JcAhB049490/mailtext.zip:
  Worm.Sober.U FOUND

----------- SCAN SUMMARY -----------
Known viruses: 41294
Engine version: 0.87.1
Scanned directories: 1032
Scanned files: 3112
Infected files: 1077
Data scanned: 257.75 MB
Time: 137.896 sec (2 m 17 s)

Last week began a 500% increase in captured viruses for us, mostly Sober 
varients.

DAve


> 
> Jeff Earickson
> Colby College
> 
> On Thu, 1 Dec 2005, IT Dept wrote:
> 
>> Date: Thu, 1 Dec 2005 10:48:40 -0800
>> From: IT Dept <itdept at FRACTALWEB.COM>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: worm emails marked as possible spam
>>
>> Jeff A. Earickson wrote:
>>
>>> This sounds like the problem of ClamAV not catching Sober.U/Sober-Z
>>> with ClamAV 0.87.1, check the list archives from earlier this week.
>>> I changed to the latest CVS version of Clam and the problem went
>>> away.  I'm totally baffled as to why Clam hasn't put out a new release
>>> to fix this nasty bug.
>>>
>>> Jeff Earickson
>>> Colby College
>>
>>
>> Jeff,
>>
>> I agree. This seems like EXACTLY what's happening. I haven't been over 
>> on the clamav list lately...what are people saying there about this 
>> issue?
>>
>> Cheers,
>> Chris

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list