Viruses apparently getting through

Gib Gilbertson Jr. gib at TMISNET.COM
Sat Dec 3 22:37:14 GMT 2005 

Hi.

At 05:43 PM 3/12/2005, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Where is your copy of ClamAV installed? The location must be correct in
>/etc/MailScanner/virus.scanners.conf.
>If "which clamscan" produces /usr/local/bin/clamscan, then the entry in
>virus.scanners.conf should be "/usr/local", if it produces
>/usr/bin/clamscan, then it should be "/usr".
>
>What does your maillog say? That should give some indication of what
>it's finding.
>

Location is correct. It is catching other viruses fine. Just for some 
reason a few e-mails which appear to be messages from other mail 
systems reporting mail to non existent users has been returned for 
what ever reason. The headers of the original e-mail are always 
forged with some address from tmisnet.com such as hostmaster, or 
webmaster, etc.

Here is an entry for a typical virus found by ClamAV:

Dec  3 01:27:22 thumper MailScanner[62916]: 
/var/spool/MailScanner/incoming/62916/./jB39R0OK082075/account-password.zip: 
Worm.Mytob.
JM FOUND
Dec  3 01:27:22 thumper MailScanner[62916]: Virus Scanning: ClamAV 
found 1 infections
Dec  3 01:27:22 thumper MailScanner[62916]: Infected message 
jB39R0OK082075 came from 59.92.149.188
Dec  3 01:27:22 thumper MailScanner[62916]: Virus Scanning: Found 1 viruses

Just doesn't seem to be picking up this latest virus for some reason. 
ClamAV is up to date.

Thanks

gib



>Gib Gilbertson Jr. wrote:
>
> > Hi.
> >
> > I seeing a lot of e-mails getting through that are caught by ZoneAlarm
> > Security Suite and reported to be infected by the Win32.Sober.W!.ZIP
> > virus. These are coming in as attachments with the extension .zm9 as
> > reported by ZoneAlarm.
> >
> >
> > I am running the following on FreeBSD 4.10
> >
> > MailScanner 4.32.4
> > ClamAV 0.87.1/1200
> >
> > I've added a file types rule to deny \.zm9$ files
> >
> > I'm still getting them in e-mail though.
> >
> > Any thoughts?
> >
> > Thanks
> >
> > gib
> >



      Gib Gilbertson Jr.
      Tierramiga Info Systems
      619-287-8647 Support
      http://www.tmisnet.com
      San Diego's Friendly ISP

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list