Release 4.50.9 : Re: Worm.VB-8 not
detected by filename or filetype
Dhawal Doshy
dhawal at netmagicsolutions.com
Wed Jan 18 18:00:58 GMT 2006
Julian Field wrote:
> Dhawal Doshy wrote:
>> Dhawal Doshy wrote:
>>> Dhawal Doshy wrote:
>>>> Julian Field wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>
>>>>> I have just released 4.50.9 which will decode the UU-encoded file
>>>>> attached to these messages, so that the virus scanners should all
>>>>> catch it, filename traps will work on the .scr file inside the
>>>>> .bhx file, filetype traps will work on it too.
>>>>
>>>> Just successfully upgraded a couple of production servers..
>>>
>>> I notice this in the logs..
>>> Jan 18 20:54:00 mx1 MailScanner[13545]: Infected message
>>> 73CEF28ABDE.D9736 came from
>>>
>>> The IP address is blank :-(, i'll try and run this through the debug
>>> sometime later.
>>
>> The debug mode didn't tell me anything (apart from the EOCD thingy)..
>> how do i track this problem?
>>
>> Jan 18 22:40:53 mx2 MailScanner[21952]: Infected message
>> 77CE7288647.0EFC0 came from <== this is blank
>>
>> However the same thing works fine for spam
> Could the message have been generated on the server? If it is generated
> by invoking postfix (via the sendmail soft-link) directly, then there
> won't be any client IP as there was never an SMTP transaction.
Nopes Julian, none of the mails are generated locally.. further checks
reveal that this seems to be blank only if there the reverse lookup
can't be done.. for all IPs that can be reverse looked up the message is
normal like this:
Jan 18 23:25:17 mx1 MailScanner[9679]: Infected message
3872D28ABB4.BF0A3 came from 59.144.45.244 <== resolves to
BTNL-KK-DSL244.45.144.59.touchtelindia.net
Jan 18 23:28:09 mx2 MailScanner[31926]: Infected message
8459A288833.82F31 came from <== this one is from 203.78.173.10 which
doesn't have a reverse lookup.
Hope this makes sense..
- dhawal
More information about the MailScanner
mailing list