Release 4.50.9 : Re: Worm.VB-8 not detected by filename or filetype

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jan 18 20:12:05 GMT 2006 

Dhawal Doshy wrote:
> Dhawal Doshy wrote:
>>>>>> Julian Field wrote:
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>
>>>>>>> I have just released 4.50.9 which will decode the UU-encoded 
>>>>>>> file  attached to these messages, so that the virus scanners 
>>>>>>> should all  catch it, filename traps will work on the .scr file 
>>>>>>> inside the .bhx  file, filetype traps will work on it too.
>>>>>>
>>>>>> Just successfully upgraded a couple of production servers..
>>>>>
>>>>> I notice this in the logs..
>>>>> Jan 18 20:54:00 mx1 MailScanner[13545]: Infected message 
>>>>> 73CEF28ABDE.D9736 came from
>>>>>
>>>>> The IP address is blank :-(, i'll try and run this through the 
>>>>> debug sometime later.
>>>>
>>>> The debug mode didn't tell me anything (apart from the EOCD 
>>>> thingy).. how do i track this problem?
>>>>
> [SNIP]
> This is getting wierder :([root at db ~]# tail -f /var/log/maillog | grep 
> "came from"
>
> [root at db ~]# tail -f /var/log/maillog | grep "came from"
> Jan 19 01:27:56 mx2 MailScanner[24329]: Infected message 
> CEC922880B7.161E3 came from 220.227.146.91
> Jan 19 01:28:20 mx2 MailScanner[24329]: Infected message 
> CEC922880B7.161E3 came from
> Jan 19 01:28:23 mx2 MailScanner[24329]: Infected message 
> CEC922880B7.161E3 came from
> Jan 19 01:28:41 mx2 MailScanner[24329]: Infected message 
> CEC922880B7.161E3 came from
> Jan 19 01:28:43 mx2 MailScanner[24329]: Infected message 
> CEC922880B7.161E3 came from
> Jan 19 01:29:08 mx2 MailScanner[24290]: Infected message 
> 342082881C5.4425B came from 59.161.64.25
> Jan 19 01:29:26 mx2 MailScanner[24290]: Infected message 
> 342082881C5.4425B came from
> Jan 19 01:29:37 mx2 MailScanner[24388]: Infected message 
> 740E4288309.62BC0 came from 210.18.63.180
> Jan 19 01:29:45 mx2 MailScanner[24388]: Infected message 
> 740E4288309.62BC0 came from
> Jan 19 01:29:46 mx2 MailScanner[24329]: Infected message 
> CEC922880B7.161E3 came from
> Jan 19 01:29:46 mx2 MailScanner[24290]: Infected message 
> 342082881C5.4425B came from
>
> Notice the duplication, now why would that happen?
You get 1 line for each infection report. Not quite sure why I wrote it 
that way, but that's the reason.

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list