Viruses apparently getting through

[ISO-8859-1] João Gouveia jgouveia at GMAIL.COM
Sun Dec 4 16:27:47 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi,

I've seen a similar behaviour. In that particular situation, after
analisys, it turned out that the zip file was corrupted.
Running clamav by hand would render an error stating that the file
could not be unziped.

J.

On 12/3/05, Gib Gilbertson Jr. <gib at tmisnet.com> wrote:
> Hi.
>
> At 05:43 PM 3/12/2005, you wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Where is your copy of ClamAV installed? The location must be correct in
> >/etc/MailScanner/virus.scanners.conf.
> >If "which clamscan" produces /usr/local/bin/clamscan, then the entry in
> >virus.scanners.conf should be "/usr/local", if it produces
> >/usr/bin/clamscan, then it should be "/usr".
> >
> >What does your maillog say? That should give some indication of what
> >it's finding.
> >
>
> Location is correct. It is catching other viruses fine. Just for some
> reason a few e-mails which appear to be messages from other mail
> systems reporting mail to non existent users has been returned for
> what ever reason. The headers of the original e-mail are always
> forged with some address from tmisnet.com such as hostmaster, or
> webmaster, etc.
>
> Here is an entry for a typical virus found by ClamAV:
>
> Dec  3 01:27:22 thumper MailScanner[62916]:
> /var/spool/MailScanner/incoming/62916/./jB39R0OK082075/account-password.zip:
> Worm.Mytob.
> JM FOUND
> Dec  3 01:27:22 thumper MailScanner[62916]: Virus Scanning: ClamAV
> found 1 infections
> Dec  3 01:27:22 thumper MailScanner[62916]: Infected message
> jB39R0OK082075 came from 59.92.149.188
> Dec  3 01:27:22 thumper MailScanner[62916]: Virus Scanning: Found 1 viruses
>
> Just doesn't seem to be picking up this latest virus for some reason.
> ClamAV is up to date.
>
> Thanks
>
> gib
>
>
>
> >Gib Gilbertson Jr. wrote:
> >
> > > Hi.
> > >
> > > I seeing a lot of e-mails getting through that are caught by ZoneAlarm
> > > Security Suite and reported to be infected by the Win32.Sober.W!.ZIP
> > > virus. These are coming in as attachments with the extension .zm9 as
> > > reported by ZoneAlarm.
> > >
> > >
> > > I am running the following on FreeBSD 4.10
> > >
> > > MailScanner 4.32.4
> > > ClamAV 0.87.1/1200
> > >
> > > I've added a file types rule to deny \.zm9$ files
> > >
> > > I'm still getting them in e-mail though.
> > >
> > > Any thoughts?
> > >
> > > Thanks
> > >
> > > gib
> > >
>
>
>
>       Gib Gilbertson Jr.
>       Tierramiga Info Systems
>       619-287-8647 Support
>       http://www.tmisnet.com
>       San Diego's Friendly ISP
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list