Release 4.50.9 : Re: Worm.VB-8 not detected by filename or filetype

Dhawal Doshy dhawal at netmagicsolutions.com
Wed Jan 18 20:23:04 GMT 2006 

Julian Field wrote:
> Dhawal Doshy wrote:
>> Dhawal Doshy wrote:
>>>>>>> Julian Field wrote:
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>
>>>>>>>> I have just released 4.50.9 which will decode the UU-encoded 
>>>>>>>> file  attached to these messages, so that the virus scanners 
>>>>>>>> should all  catch it, filename traps will work on the .scr file 
>>>>>>>> inside the .bhx  file, filetype traps will work on it too.
>>>>>>>
>>>>>>> Just successfully upgraded a couple of production servers..
>>>>>>
>>>>>> I notice this in the logs..
>>>>>> Jan 18 20:54:00 mx1 MailScanner[13545]: Infected message 
>>>>>> 73CEF28ABDE.D9736 came from
>>>>>>
>>>>>> The IP address is blank :-(, i'll try and run this through the 
>>>>>> debug sometime later.
>>>>>
>>>>> The debug mode didn't tell me anything (apart from the EOCD 
>>>>> thingy).. how do i track this problem?
>>>>>
>> [SNIP]
>> This is getting wierder :([root at db ~]# tail -f /var/log/maillog | grep 
>> "came from"
>>
>> [root at db ~]# tail -f /var/log/maillog | grep "came from"
>> Jan 19 01:27:56 mx2 MailScanner[24329]: Infected message 
>> CEC922880B7.161E3 came from 220.227.146.91
>> Jan 19 01:28:20 mx2 MailScanner[24329]: Infected message 
>> CEC922880B7.161E3 came from
>> Jan 19 01:28:23 mx2 MailScanner[24329]: Infected message 
>> CEC922880B7.161E3 came from
>> Jan 19 01:28:41 mx2 MailScanner[24329]: Infected message 
>> CEC922880B7.161E3 came from
[SNIP]
>> Notice the duplication, now why would that happen?
> You get 1 line for each infection report. Not quite sure why I wrote it 
> that way, but that's the reason.

Wasn't like this before the upgrade.. here are logs for an hour from 
15th Jan (way before the upgrade)

I have a SEC script looking for this entry in the maillogs and creating 
a local virus-rbl.. else i wouldn't be so deeply concerned.

- dhawal

Jan 15 05:01:00 mx1 MailScanner[20397]: Infected message 
8A325CDF35.0CBBE came from 69.42.9.31
Jan 15 05:01:06 mx2 MailScanner[19797]: Infected message 
01C8C140003.DD0FF came from 202.159.241.134
Jan 15 05:01:56 mx1 MailScanner[20581]: Infected message 
52A87CDF2D.62A70 came from 203.94.231.35
Jan 15 05:02:57 mx1 MailScanner[20636]: Infected message 
F2B06CDF3D.404BA came from 202.88.130.8
Jan 15 05:04:25 mx2 MailScanner[19797]: Infected message 
30DDC140008.EF836 came from 83.39.6.46
Jan 15 05:04:43 mx2 MailScanner[20457]: Infected message 
34AC0140003.405BC came from 152.101.52.20
Jan 15 05:06:33 mx1 MailScanner[20682]: Infected message 
9B75DCB9B3.61D1D came from 203.199.13.210
Jan 15 05:07:14 mx1 MailScanner[20241]: Infected message 
DE01DCDF35.4F8B4 came from 83.110.220.215
Jan 15 05:07:24 mx1 MailScanner[20581]: Infected message 
C84FFCD015.7D16C came from 203.199.13.210
Jan 15 05:11:50 mx1 MailScanner[19975]: Infected message 
9150FCB9B3.1112B came from 83.110.221.191
Jan 15 05:12:04 mx1 MailScanner[20581]: Infected message 
6D6B5CDF2F.3E842 came from 200.193.163.222
Jan 15 05:12:41 mx1 MailScanner[19975]: Infected message 
5B27DCB9B3.1A013 came from 209.239.37.109
Jan 15 05:17:18 mx1 MailScanner[20581]: Infected message 
72C50CBA87.288F0 came from 205.214.42.229
Jan 15 05:20:38 mx1 MailScanner[20725]: Infected message 
D1AF3CDF2E.6F1F6 came from 81.192.19.191
Jan 15 05:21:39 mx2 MailScanner[20531]: Infected message 
21EBA140006.7F4D2 came from 82.148.120.140
Jan 15 05:21:51 mx2 MailScanner[20299]: Infected message 
E607B140012.31D82 came from 202.159.241.134
Jan 15 05:22:37 mx1 MailScanner[20173]: Infected message 
F3539CBA87.73A80 came from 83.110.220.215
Jan 15 05:23:12 mx2 MailScanner[19922]: Infected message 
CA577140002.C4826 came from 85.176.6.61
Jan 15 05:23:51 mx1 MailScanner[20397]: Infected message 
D373CCDF2E.4FCE2 came from 203.94.231.35
Jan 15 05:23:54 mx1 MailScanner[20682]: Infected message 
DEA2ECDF3E.D15A4 came from 83.110.220.215
Jan 15 05:26:06 mx1 MailScanner[20241]: Infected message 
B89ECCDF2C.1A06A came from 83.110.220.215
Jan 15 05:26:16 mx1 MailScanner[20792]: Infected message 
1155ACDF40.C6C78 came from 202.159.241.134
Jan 15 05:29:57 mx1 MailScanner[20274]: Infected message 
CD095CDF2C.6756C came from 152.101.52.20
Jan 15 05:36:24 mx1 MailScanner[20702]: Infected message 
DA4A2CDF2B.B7695 came from 24.218.188.31
Jan 15 05:37:29 mx2 MailScanner[20299]: Infected message 
C94DA140004.3EA49 came from 85.154.20.71
Jan 15 05:40:28 mx1 MailScanner[20636]: Infected message 
95CCBCDF40.D3E3E came from 195.188.213.7
Jan 15 05:42:45 mx1 MailScanner[20173]: Infected message 
52B94CB9B3.2CDAB came from 203.94.231.35
Jan 15 05:45:41 mx1 MailScanner[20212]: Infected message 
E961ACDF3A.71A21 came from 201.9.79.201
Jan 15 05:48:55 mx1 MailScanner[19975]: Infected message 
70432CDF21.99A5C came from 64.95.65.108
Jan 15 05:49:00 mx2 MailScanner[20841]: Infected message 
DD605140002.1AC9B came from 152.101.52.20
Jan 15 05:49:18 mx1 MailScanner[20173]: Infected message 
4A418CDF3A.6E6CF came from 196.192.100.67
Jan 15 05:50:45 mx1 MailScanner[20173]: Infected message 
5B4AACBA0C.8853F came from 207.106.22.53
Jan 15 05:51:15 mx1 MailScanner[20702]: Infected message 
C180CCDF3D.B7005 came from 202.159.241.134
Jan 15 05:51:30 mx2 MailScanner[20398]: Infected message 
97683140004.3A373 came from 222.166.19.22
Jan 15 05:51:38 mx1 MailScanner[20725]: Infected message 
5E48BCB9EA.9B3E0 came from 83.237.235.20

More information about the MailScanner mailing list