Stored Spam vs Virus Infected

Derek Winkler dwinkler at ALGORITHMICS.COM
Wed Jan 12 21:45:18 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I'm having a problem with stored spam, when users try to retrieve by having
them resent they are rescanned by MailScanner again which then detects a
virus and doesn't send. Works fine when the email doesn't contain a virus.

The log entries show that on Jan 4, this email was determined to be spam and
stored.

The user then tried to retrieve it on the 11th and a virus was detected.

Why wasn't the virus detected on the 4th?

What am I missing?

Is virus scanning not done if action is store? or if the message is spam?

Stored mail is stored as queue files, resends drop the file back in the
mqueue.in directory with some changes to ensure they aren't detected as spam
again.

Please let me know if you need addtional information.

Running MailScanner 4.32.5 with Sendmail/Sophos/ClamAV

Thanks in advance,

Derek

Jan  4 12:57:50 lime sendmail[18121]: [ID 801593 mail.info] j04HvkO18121:
from=<Pete-ohkiPLeung at toto.CSUStan.edu>, size=28581, class=0, nrcpts=1,
msgid=<gfigsevaernajguqdxq at algorithmics.com>, proto=SMTP, daemon=Daemon0,
relay=ASte-Genev-Bois-152-1-51-102.w82-121.abo.wanadoo.fr [82.121.149.102]
Jan  4 12:57:50 lime sendmail[18121]: [ID 801593 mail.info] j04HvkO18121:
to=<xxxxx at algorithmics.com>, delay=00:00:03, mailer=esmtp, pri=58581,
stat=queued
Jan  4 13:21:52 lime MailScanner[14001]: Message j04HvkO18121 from
82.121.149.102 (pete-ohkipleung at toto.csustan.edu) to algorithmics.com is
spam, SpamAssassin (score=7.004, required 4.5, autolearn=disabled,
HTML_90_100 0.19, HTML_MESSAGE 0.00, HTML_SHORT_LENGTH 0.71, MIME_HTML_ONLY
1.16, MSGID_SPAM_LETTERS 3.15, RCVD_IN_NJABL_DUL 1.66, RCVD_IN_SORBS_DUL
0.14)
Jan  4 13:26:24 lime MailScanner[14001]: Spam Actions: message j04HvkO18121
actions are store


Jan 11 08:51:32 lime MailScanner[5464]: SophosSAVI::INFECTED::
W32/Bagle-AA:: ./j04HvkO18121/MoreInfo.exe
Jan 11 08:51:39 lime MailScanner[5464]:
/var/spool/MailScanner/incoming/5464/./j04HvkO18121/MoreInfo.exe:
Worm.Bagle.Z FOUND
Jan 11 08:51:40 lime MailScanner[5464]: Infected message j04HvkO18121 came
from 82.121.149.102
Jan 11 08:51:40 lime MailScanner[5464]: Filename Checks: Possible Windows
executable attack (j04HvkO18121 MoreInfo.exe)

-------------------------------------------------------------------

This email and any files transmitted with it are confidential and
proprietary to Algorithmics Incorporated and its affiliates
("Algorithmics").  If received in error, use is prohibited.  Please destroy,
and notify sender.  Sender does not waive confidentiality or privilege.
Internet communications cannot be guaranteed to be timely, secure, error or
virus-free.  Algorithmics does not accept liability for any errors or
omissions.  Any commitment intended to bind Algorithmics must be reduced to
writing and signed by an authorized signatory.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list