Stored Spam vs Virus Infected

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jan 12 21:58:46 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

If the message was just stored as its spam action, and you aren't
running a new enough version to have the "Keep Spam and MCP Archive
Clean" setting (I think that's what I called it) then it will store the
message in the archive in just the state it received it. This will
include any infections.

Upgrade to the latest version and make sure you have it set to keep the
spam archive clean, and it will delete infected spam from the archive,
so that your users can't retrieve infected messages.

In the past I always had the archives carefully store the messages in
exactly the state they were received.

Derek Winkler wrote:

>I'm having a problem with stored spam, when users try to retrieve by having
>them resent they are rescanned by MailScanner again which then detects a
>virus and doesn't send. Works fine when the email doesn't contain a virus.
>
>The log entries show that on Jan 4, this email was determined to be spam and
>stored.
>
>The user then tried to retrieve it on the 11th and a virus was detected.
>
>Why wasn't the virus detected on the 4th?
>
>What am I missing?
>
>Is virus scanning not done if action is store? or if the message is spam?
>
>Stored mail is stored as queue files, resends drop the file back in the
>mqueue.in directory with some changes to ensure they aren't detected as spam
>again.
>
>Please let me know if you need addtional information.
>
>Running MailScanner 4.32.5 with Sendmail/Sophos/ClamAV
>
>Thanks in advance,
>
>Derek
>
>Jan  4 12:57:50 lime sendmail[18121]: [ID 801593 mail.info] j04HvkO18121:
>from=<Pete-ohkiPLeung at toto.CSUStan.edu>, size=28581, class=0, nrcpts=1,
>msgid=<gfigsevaernajguqdxq at algorithmics.com>, proto=SMTP, daemon=Daemon0,
>relay=ASte-Genev-Bois-152-1-51-102.w82-121.abo.wanadoo.fr [82.121.149.102]
>Jan  4 12:57:50 lime sendmail[18121]: [ID 801593 mail.info] j04HvkO18121:
>to=<xxxxx at algorithmics.com>, delay=00:00:03, mailer=esmtp, pri=58581,
>stat=queued
>Jan  4 13:21:52 lime MailScanner[14001]: Message j04HvkO18121 from
>82.121.149.102 (pete-ohkipleung at toto.csustan.edu) to algorithmics.com is
>spam, SpamAssassin (score=7.004, required 4.5, autolearn=disabled,
>HTML_90_100 0.19, HTML_MESSAGE 0.00, HTML_SHORT_LENGTH 0.71, MIME_HTML_ONLY
>1.16, MSGID_SPAM_LETTERS 3.15, RCVD_IN_NJABL_DUL 1.66, RCVD_IN_SORBS_DUL
>0.14)
>Jan  4 13:26:24 lime MailScanner[14001]: Spam Actions: message j04HvkO18121
>actions are store
>
>
>Jan 11 08:51:32 lime MailScanner[5464]: SophosSAVI::INFECTED::
>W32/Bagle-AA:: ./j04HvkO18121/MoreInfo.exe
>Jan 11 08:51:39 lime MailScanner[5464]:
>/var/spool/MailScanner/incoming/5464/./j04HvkO18121/MoreInfo.exe:
>Worm.Bagle.Z FOUND
>Jan 11 08:51:40 lime MailScanner[5464]: Infected message j04HvkO18121 came
>from 82.121.149.102
>Jan 11 08:51:40 lime MailScanner[5464]: Filename Checks: Possible Windows
>executable attack (j04HvkO18121 MoreInfo.exe)
>
>-------------------------------------------------------------------
>
>This email and any files transmitted with it are confidential and
>proprietary to Algorithmics Incorporated and its affiliates
>("Algorithmics").  If received in error, use is prohibited.  Please destroy,
>and notify sender.  Sender does not waive confidentiality or privilege.
>Internet communications cannot be guaranteed to be timely, secure, error or
>virus-free.  Algorithmics does not accept liability for any errors or
>omissions.  Any commitment intended to bind Algorithmics must be reduced to
>writing and signed by an authorized signatory.
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list