ClamAV and MailScanner Bug

Steve Campbell campbell at cnpapers.com
Thu May 5 21:34:24 IST 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I don't mean to muddy the waters any, but I see some strange stuff going on
also.

I am running 4.36.1 with clamav (also not current). We have one user in
particular getting hit with this Sober thingy. The message is being flagged
as having a Virus in the subject line, but still delivered, even with all of
the parms in the Virus Scanning and Vulnerability Testing section set to
"no" (with the exception of Virus Scanning = yes).

I realize that I should update, but ClamAV is finding this. Shouldn't my
conf settings delete the message? I find that the message is being scanned,
scored by SA, actions decided based on my Spam/High Spam settings, and then
virus scanned after the actions are performed. A listing of a particular
message follows:

May  5 15:58:36 mailserver2 sendmail[29880]: j45JwXPI029880:
from=<info at hotmail.co
m>, size=73450, class=0, nrcpts=1, msgid=<7ee2.e8f8fb2a5e8e at hotmail.com>,
proto=SM
TP, daemon=MTA, relay=rrcs-24-73-137-179.se.biz.rr.com [24.73.137.179]
May  5 15:58:38 mailserver2 MailScanner[1143]: Message j45JwXPI029880 from
24.73.1
37.179 (info at hotmail.com) to cnpapers.com is spam, SpamAssassin
(score=4.021, requ
ired 4, DNS_FROM_RFC_POST 1.61, FORGED_HOTMAIL_RCVD2 1.18, MISSING_MIMEOLE
0.01, N
O_REAL_NAME 0.01, SPF_SOFTFAIL 0.50, URI_CHINA_ADJ 0.71)
May  5 15:58:38 mailserver2 MailScanner[1143]: Spam Actions: message
j45JwXPI02988
0 actions are store,deliver,striphtml
May  5 15:58:40 mailserver2 MailScanner[1143]:
/var/spool/MailScanner/incoming/114
3/./j45JwXPI029880/account_info.zip^Iinfected: Win32.Sober.O at mm
May  5 15:58:40 mailserver2 MailScanner[1143]:
/var/spool/MailScanner/incoming/114
3/./j45JwXPI029880/Winzipped-Text_Data.txt           .exe^Iinfected:
Win32.Sober.O
@mm
May  5 15:58:40 mailserver2 MailScanner[1143]: Infected message
j45JwXPI029880 cam
e from 24.73.137.179
May  5 15:58:40 mailserver2 MailScanner[1143]: Filename Checks: Windows/DOS
Execut
able (j45JwXPI029880 Winzipped-Text_Data.txt           .exe)
May  5 15:58:40 mailserver2 MailScanner[1143]: Filename Checks: Possible
MS-Dos pr
ogram shortcut attack (j45JwXPI029880 Winzipped-Text_Data.txt
.pif)
May  5 15:58:40 mailserver2 MailScanner[1143]: Saved entire message to
/var/spool/
MailScanner/quarantine/20050505/j45JwXPI029880
May  5 15:58:40 mailserver2 MailScanner[1143]: Saved infected
"account_info.zip" t
o /var/spool/MailScanner/quarantine/20050505/j45JwXPI029880
May  5 15:58:40 mailserver2 MailScanner[1143]: Saved infected
"Winzipped-Text_Data
.txt           .pif" to
/var/spool/MailScanner/quarantine/20050505/j45JwXPI029880
May  5 15:58:40 mailserver2 MailScanner[1143]: Saved infected
"Winzipped-Text_Data
.txt           .exe" to
/var/spool/MailScanner/quarantine/20050505/j45JwXPI029880

I have the archive depth set to 2, but this doesn't seem to affect finding
the above virus, as it states it has found Win32.Sober.O.

Shouldn't this have just been deleted? It appears that after finding the
virus, it does the filename/filetype checks, instead of not delivering the
message and attachment.

I hope the older log helps someone see something.

Steve Campbell
campbell at cnpapers.com
Charleston Newspapers

----- Original Message -----
From: "Chris Stone" <cstone at AXINT.NET>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Thursday, May 05, 2005 4:03 PM
Subject: Re: ClamAV and MailScanner Bug


> On Thursday 05 May 2005 01:54 am, Julian Field wrote:
> > On 4 May 2005, at 22:16, Chris Stone wrote:
> > > On Wednesday 04 May 2005 02:57 pm, Julian Field wrote:
> > >> Julian Field wrote:
> > >> I just tried it with 2 Worm.Sober.P messages from my own servers, and
> > >> neither of them caused any problem whatsoever. Both caught just fine.
> > >> Worked with Maximum Archive Depth = 0 and with = 2.
> > >
> > > This problem is with MS 4.34.8 and ClamAV 0.83, ClamAV Module
> > > (latest from
> > > CPAN). Max Archive Depth = 0.
> >
> > Chris, can you try with the latest MailScanner please. I still cannot
> > find anything unusual whatsoever. You are running with
> >
> > Max Archive Depth = 0
> > Virus Scanners = clamavmodule
> > ClamAV 0.83
> >
> > (That's for my reference as people are not being clear as to whether
> > they are using "clamav" or "clamavmodule".
>
> Upgraded to 4.41.3 last night and upgraded ClamAV to 0.84. ClamAVModule is
> 0.17. Didn't seem to make a difference. Other viruses are stopped, but
Sober
> is detected and queued for delivery.
>
> As I noted in another email, I can get you root access to the server to
test
> and poke around if you still need to. Email me offlist and I'll get you
the
> particulars.
>
>
> Chris
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list