Release 4.50.9 : Re: Worm.VB-8 not detected by filename
or filetype
Dhawal Doshy
dhawal at netmagicsolutions.com
Thu Jan 19 09:04:02 GMT 2006
Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On 18 Jan 2006, at 22:12, Dhawal Doshy wrote:
>
>> Dhawal Doshy wrote:
>>>>>>>>>>> Julian Field wrote:
>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>
>>>>>>>>>>>> I have just released 4.50.9 which will decode the UU-
>>>>>>>>>>>> encoded file attached to these messages, so that the
>>>>>>>>>>>> virus scanners should all catch it, filename traps will
>>>>>>>>>>>> work on the .scr file inside the .bhx file, filetype
>>>>>>>>>>>> traps will work on it too.
>>>>>>>>>>> Just successfully upgraded a couple of production servers..
>>>>>>>>>> I notice this in the logs..
>>>>>>>>>> Jan 18 20:54:00 mx1 MailScanner[13545]: Infected message
>>>>>>>>>> 73CEF28ABDE.D9736 came from
>>>>>>>>>>
>>>>>>>>>> The IP address is blank :-(, i'll try and run this through
>>>>>>>>>> the debug sometime later.
>>>>>>>>> The debug mode didn't tell me anything (apart from the EOCD
>>>>>>>>> thingy).. how do i track this problem?
>> Julian,
>>
>> I *might* have figured the error, here's the situation..
>>
>> Notify Senders Of Viruses = no
>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>>
>> But filename.rules.conf has been modified to use deny+delete rather
>> than simply deny.
>> deny+delete \.pif$ - -
>> deny+delete \.scr$ - -
>> deny+delete \.cpl$ - -
>>
>> Yet MailScanner (i think) tries to send out a notification for the
>> policy violation and yes.. this time being sent from localhost it
>> obviously doesn't show the IP address. The problem is it goes into
>> an endless loop post this situation of trying to send out the
>> notification. Any ideas?
>
> I don't understand your explanation. Are you saying that MailScanner
> gets stuck in an endless loop?
[root at mx1 MailScanner]# find /var/spool/MailScanner/incoming/ -type f |
wc -l
3402
[root at mx1 MailScanner]# find /var/spool/postfix/hold/ -type f | wc -l
57
Nothing from mailscanner incoming workdir gets deleted.. and hence it
continues processing the message again and again..
- dhawal
More information about the MailScanner
mailing list