Problem Email Again (retry)

Scott Silva ssilva at SGVWATER.COM
Thu Jun 16 20:03:08 IST 2005 

    [ The following text is in the "windows-1252" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Mike Kercher said the following on 6/15/2005 4:53 PM:
> I tried attaching the problem qf/df pair and it was rejected so I have
> uploaded the archive here:
> 
> http://www.abby.com/problem_email.tar.gz
> 
> 
> 
> I emailed the list a week or so ago about certain emails getting stuck in
> /var/spool/mqueue.in, being processed over and over again.  It happened
> again today.  I restarted MailScanner in debug mode and didn't see anything
> useful there:
> 
> Jun 15 18:39:11 mail sendmail[4248]: alias database /etc/aliases rebuilt by
> root
> 
> Jun 15 18:39:11 mail sendmail[4248]: /etc/aliases: 73 aliases, longest 17
> bytes, 768 bytes total
> 
> Jun 15 18:39:11 mail sendmail[4258]: starting daemon (8.13.4): SMTP
> 
> Jun 15 18:39:11 mail sm-msp-queue[4263]: starting daemon (8.13.4):
> queueing at 00:15:00
> 
> Jun 15 18:39:12 mail sendmail[4269]: starting daemon (8.13.4):
> queueing at 00:15:00
> 
> Jun 15 18:39:13 mail MailScanner[4285]: MailScanner E-Mail Virus Scanner
> version 4.41.3 starting... 
> 
> Jun 15 18:39:16 mail MailScanner[4285]: SophosSAVI 3.94 (engine 2.30)
> recognizing 105435 viruses 
> 
> Jun 15 18:39:16 mail MailScanner[4285]: SophosSAVI using 109 IDE files 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: lock.pl sees Config  LockType =
> posix 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: lock.pl sees have_module =  0 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: Using locktype = posix 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: Creating hardcoded struct_flock
> subroutine for linux (Linux-type) 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: New Batch: Scanning 1 messages, 9206
> bytes 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: Created attachment dirs for 1
> messages 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: Spam Checks: Starting 
> 
> Jun 15 18:39:17 mail MailScanner[4285]: RBL Checks: returned 0 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: SpamAssassin returned 0 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Message j5FJvISb003617 from
> 66.163.175.82 (service at paypal.com) to abby.com is spam, SpamAssassin
> (score=12.606, required 5.7, AWL -0.01, BAYES_40 -1.10, DCC_CHECK 2.17,
> DIGEST_MULTIPLE 0.10, FORGED_MUA_OUTLOOK 3.92, FORGED_OUTLOOK_HTML 0.63,
> FORGED_OUTLOOK_TAGS 0.07, HTML_80_90 0.15, HTML_MESSAGE 0.00, MIME_HTML_ONLY
> 0.18, MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72, RAZOR2_CHECK 1.51,
> URIBL_OB_SURBL 3.21) 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Spam Checks: Found 1 spam messages 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Spam Actions: message j5FJvISb003617
> actions are delete 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Virus and Content Scanning: Starting
> 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Commencing scanning by
> clamavmodule... 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: ClamAVModule::INFECTED::
> HTML.Phishing.Pay-24:: ./j5FJvISb003617/msg-4285-1.html 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Completed scanning by clamavmodule 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Virus Scanning: ClamAV Module found
> 1 infections 
> 
> Jun 15 18:39:19 mail MailScanner[4285]: Commencing scanning by sophossavi...
> 
> 
> Jun 15 18:39:20 mail MailScanner[4285]: Completed scanning by sophossavi 
> 
> Jun 15 18:39:20 mail MailScanner[4285]: Infected message j5FJvISb003617 came
> from 66.163.175.82 
> 
> Jun 15 18:39:20 mail MailScanner[4285]: MailScanner child dying of old age 
> 
> I am attaching the associated qf/df pair...maybe someone can recreate the
> problem on their end <?>
> 
> TIA
> 
> Mike
> 
Not the slightest problem here. Maybe a virus scanner is choking on your
system?
Here are the results I got;

The following e-mails were found to have: Virus Detected

    Sender: service at paypal.com
IP Address: 66.163.175.82
 Recipient: northbelt at abby.com
   Subject: Account Verification Notice!
 MessageID: j5FJvISb003617
Quarantine: /var/spool/MailScanner/quarantine/20050616/j5FJvISb003617
    Report: ClamAV Module: msg-21678-13.html was infected:
HTML.Phishing.Pay-24

Full headers are:

 Return-Path: <^Ág>
 Received: from smtp005.bizmail.sc5.yahoo.com
(smtp005.bizmail.sc5.yahoo.com [66.163.175.82])
 	by mail.abby.com (8.13.4/8.13.4) with SMTP id j5FJvISb003617
 	for <northbelt at abby.com>; Wed, 15 Jun 2005 14:57:26 -0500
 Message-Id: <200506151957.j5FJvISb003617 at mail.abby.com>
 Received: from unknown (HELO admin at wangod.com)
(admin at wangod.com@203.210.212.110 with login)
   by smtp005.bizmail.sc5.yahoo.com with SMTP; 15 Jun 2005 19:58:31 -0000
 Reply-To: "service at paypal.com" <service at paypal.com>
 From: "service at paypal.com" <service at paypal.com>
 To: <northbelt at abby.com>
 Subject: Account Verification Notice!
 Date: Thu, 16 Jun 2005 02:58:12 +0700
 MIME-Version: 1.0
 Content-Type: text/html;
 	charset="us-ascii"
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2800.1106
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

-- 

/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list