worm emails marked as possible spam

Ken Goods KGoods at AIAINSURANCE.COM
Fri Dec 2 00:48:24 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

IT Dept wrote:
> Scott Silva wrote:
> 
>> AFAICR I think they are spam checked, virus scanned, and then run
>> through filename/type checks. Maybe there is something in your
>> silent viruses config missing like "all viruses". 
>> 
>> 
> This is from my mailscanner.conf file:
> 
> Silent Viruses = HTML-IFrame All-Viruses
> Still Deliver Silent Viruses = no
> Quarantine Silent Viruses = yes
> Log Silent Viruses = no
> 
> Should I change something?
> 
> Chris
> 

Chris,
I was having the same exact problem until yesterday. I have the same
settings as you (above) and my users were never notified as long as the
filetype/name rules *and* the virus scanner caught them. Turns out in my
case *only* the filetype/name rules was hitting and I notify my users of
this in case they need to make other arrangements to get the file. Most
times it's because someone names a file thisdoc12.1.05.doc or something
idiotic like that.

I have my configuration set up to have MailScanner notify me of any blocked
mail regardless of why it   
was blocked (we don't have that many until this last worm). 

Here's an example of a bad filename notification:

The following e-mails were found to have: Bad Filename Detected

    Sender: hostmaster at amersel.com
IP Address: 216.38.219.115
 Recipient: user1 at mydomain.com, user2 at mydomain.com, user3 at mydomain.com
   Subject: Registration Confirmation
 MessageID: jATLS02n030424
Quarantine: /var/spool/MailScanner/quarantine/20051129/jATLS02n030424
    Report: MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_da.exe)
    Report: MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_dataInfo.exe)
            MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_da.exe)
            MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_dataInfo.exe)

Full headers are: etc... etc...

These were not getting caught by ClamAV (my fault) and thus my users were
getting notified.

Now here's a sample after I fixed ClamAV (and added bitdefender just for
good measure):

The following e-mails were found to have: Bad Filename Detected : Virus
Detected

    Sender: postmaster at judicial.state.co.us
IP Address: 216.38.219.115
 Recipient: user1 at mydomain.com, user2 at mydomain.com, user3 at mydomain.com
   Subject: Your_Password
 MessageID: jB19NTjG008286
Quarantine: /var/spool/MailScanner/quarantine/20051201/jB19NTjG008286
    Report: MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_da.exe)
    Report: ClamAV: File-packed_dataInfo.exe contains Worm.Sober.U 
            Bitdefender: Found virus Win32.Sober.AD at mm in file
File-packed_dataInfo.exe
            MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_dataInfo.exe)
            MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_da.exe)
            ClamAV: File-packed_dataInfo.exe contains Worm.Sober.U 
            Bitdefender: Found virus Win32.Sober.AD at mm in file
File-packed_dataInfo.exe
            MailScanner: Executable DOS/Windows programs are dangerous in
email (File-packed_dataInfo.exe)
    Report: ClamAV: reg_pass.zip contains Worm.Sober.U 
            Bitdefender: Found virus Win32.Sober.AD at mm in file reg_pass.zip

Full headers are: etc... etc...

Since these are getting caught and I have those settings in MailScanner.conf
(as you do above) nobody but me is getting notified which is the way I like
it! :)

In my case I had two versions of ClamAV running on my machine and running
scanscan from the command line would use the newer version and catch the
viruses but MailScanner using the wrapper was using the older version and
wouldn't.

Thanks to the sharp eye (and much more experience) of Glenn Steen, the light
bulb finally went off. If you think there's any chance of this being your
problem take a look at the Antivirus woes... thread from yesterday.

Hope it helps,
Ken


Ken Goods
Network Administrator
AIA/CropUSA Insurance, Inc.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list