Release 4.50.9 : Re: Worm.VB-8 not detected by filename or filetype

Dhawal Doshy dhawal at netmagicsolutions.com
Wed Jan 18 20:01:03 GMT 2006 

Dhawal Doshy wrote:
>>>>> Julian Field wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>
>>>>>> I have just released 4.50.9 which will decode the UU-encoded file  
>>>>>> attached to these messages, so that the virus scanners should all  
>>>>>> catch it, filename traps will work on the .scr file inside the 
>>>>>> .bhx  file, filetype traps will work on it too.
>>>>>
>>>>> Just successfully upgraded a couple of production servers..
>>>>
>>>> I notice this in the logs..
>>>> Jan 18 20:54:00 mx1 MailScanner[13545]: Infected message 
>>>> 73CEF28ABDE.D9736 came from
>>>>
>>>> The IP address is blank :-(, i'll try and run this through the debug 
>>>> sometime later.
>>>
>>> The debug mode didn't tell me anything (apart from the EOCD thingy).. 
>>> how do i track this problem?
>>>
[SNIP]
This is getting wierder :([root at db ~]# tail -f /var/log/maillog | grep 
"came from"

[root at db ~]# tail -f /var/log/maillog | grep "came from"
Jan 19 01:27:56 mx2 MailScanner[24329]: Infected message 
CEC922880B7.161E3 came from 220.227.146.91
Jan 19 01:28:20 mx2 MailScanner[24329]: Infected message 
CEC922880B7.161E3 came from
Jan 19 01:28:23 mx2 MailScanner[24329]: Infected message 
CEC922880B7.161E3 came from
Jan 19 01:28:41 mx2 MailScanner[24329]: Infected message 
CEC922880B7.161E3 came from
Jan 19 01:28:43 mx2 MailScanner[24329]: Infected message 
CEC922880B7.161E3 came from
Jan 19 01:29:08 mx2 MailScanner[24290]: Infected message 
342082881C5.4425B came from 59.161.64.25
Jan 19 01:29:26 mx2 MailScanner[24290]: Infected message 
342082881C5.4425B came from
Jan 19 01:29:37 mx2 MailScanner[24388]: Infected message 
740E4288309.62BC0 came from 210.18.63.180
Jan 19 01:29:45 mx2 MailScanner[24388]: Infected message 
740E4288309.62BC0 came from
Jan 19 01:29:46 mx2 MailScanner[24329]: Infected message 
CEC922880B7.161E3 came from
Jan 19 01:29:46 mx2 MailScanner[24290]: Infected message 
342082881C5.4425B came from

Notice the duplication, now why would that happen?

- dhawal

More information about the MailScanner mailing list