spam to delete is now virus scanned?

Mark Nienberg mark at TIPPINGMAR.COM
Thu Feb 10 19:14:03 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

In previous versions of MailScanner I'm pretty sure that if a message
was determined to be high scoring spam and the high scoring spam actions
were to delete the message, then MailScaner would not bother perfoming a
virus scan also.  Now it seems MailScanner does a virus scan on the
message even though it will be deleted.  Did this change by intention?
I'm using 4.37.7 Example log follows:

Feb 10 09:58:24 gingham sendmail[10335]: j1AHwM2t010335:
from=<mchristie at wpceng.
com>, size=38893, class=0, nrcpts=1,
msgid=<200502101758.j1AHwM2t010335 at mail.tip
pingmar.com>, proto=ESMTP, daemon=MTA,
relay=h-68-166-219-79.snvacaid.covad.net
[68.166.219.79]
Feb 10 09:58:29 gingham MailScanner[9365]: New Batch: Scanning 1
messages, 39455
 bytes
Feb 10 09:58:30 gingham MailScanner[9365]: Spam Checks: Starting
Feb 10 09:58:35 gingham MailScanner[9365]: Message j1AHwM2t010335 from
68.166.21
9.79 (mchristie at wpceng.com) to tippingmar.com is spam, SpamAssassin
(score=19.39
8, required 5.5, autolearn=spam, ADDRESS_IN_SUBJECT 1.80, BAYES_80 2.50,
DCC_CHE
CK 2.17, MIME_BOUND_NEXTPART 0.00, MISSING_MIMEOLE 0.01,
MSGID_FROM_MTA_ID 1.72,
 NO_REAL_NAME 0.01, PRIORITY_NO_NAME 1.10, RCVD_IN_XBL 3.08,
SPF_HELO_FAIL 1.00,
 TMA_SPOOF_MACHINE 6.00, TMA_SPOOF_MACHNAME 0.01)
Feb 10 09:58:35 gingham MailScanner[9365]: Spam Checks: Found 1 spam
messages
Feb 10 09:58:35 gingham MailScanner[9365]: Spam Actions: message
j1AHwM2t010335
actions are delete

Feb 10 09:58:36 gingham MailScanner[9365]: Virus and Content Scanning:
Starting
Feb 10 09:58:36 gingham MailScanner[9365]: SophosSAVI::INFECTED::
W32/Netsky-Q::
 ./j1AHwM2t010335/msg9806.pif
Feb 10 09:58:36 gingham MailScanner[9365]: Virus Scanning: SophosSAVI
found 1 in
fections
Feb 10 09:58:37 gingham MailScanner[9365]: ClamAVModule::INFECTED::
Worm.SomeFoo
l.Q:: ./j1AHwM2t010335/msg9806.pif
Feb 10 09:58:37 gingham MailScanner[9365]: Virus Scanning: ClamAV Module
found 1
 infections
Feb 10 09:58:37 gingham MailScanner[9365]: Infected message
j1AHwM2t010335 came
from 68.166.219.79
Feb 10 09:58:37 gingham MailScanner[9365]: Virus Scanning: Found 1 viruses
Feb 10 09:58:37 gingham MailScanner[9365]: Filename Checks: Allowing
j1AHwM2t010
335 msg-9365-37.txt
Feb 10 09:58:37 gingham MailScanner[9365]: Filename Checks: Possible
MS-Dos prog
ram shortcut attack (j1AHwM2t010335 msg9806.pif)
Feb 10 09:58:37 gingham MailScanner[9365]: Other Checks: Found 1 problems
Feb 10 09:58:37 gingham MailScanner[9365]: Saved infected "msg9806.pif"
to /var/
spool/MailScanner/quarantine/20050210/j1AHwM2t010335
Feb 10 09:58:37 gingham sendmail[10343]: j1AHwbPY010343:
from=postmaster, size=1
235, class=0, nrcpts=1,
msgid=<200502101758.j1AHwbPY010343 at gingham.tippingmar.co
m>, relay=root at localhost

--
Mark Nienberg, SE
Tipping Mar + associates
1906 Shattuck Ave
Berkeley, CA 94704
http://www.tippingmar.com

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list