Release 4.50.9 : Re: Worm.VB-8 not detected by filename or filetype

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jan 19 09:58:17 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----


On 19 Jan 2006, at 08:53, Julian Field wrote:

> * PGP Signed: 01/19/06 at 08:53:08
>
>
> On 18 Jan 2006, at 22:12, Dhawal Doshy wrote:
>
>> Dhawal Doshy wrote:
>>>>>>>>>>> Julian Field wrote:
>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>
>>>>>>>>>>>> I have just released 4.50.9 which will decode the UU- 
>>>>>>>>>>>> encoded file  attached to these messages, so that the  
>>>>>>>>>>>> virus scanners should all  catch it, filename traps will  
>>>>>>>>>>>> work on the .scr file inside the .bhx  file, filetype  
>>>>>>>>>>>> traps will work on it too.
>>>>>>>>>>>
>>>>>>>>>>> Just successfully upgraded a couple of production servers..
>>>>>>>>>>
>>>>>>>>>> I notice this in the logs..
>>>>>>>>>> Jan 18 20:54:00 mx1 MailScanner[13545]: Infected message  
>>>>>>>>>> 73CEF28ABDE.D9736 came from
>>>>>>>>>>
>>>>>>>>>> The IP address is blank :-(, i'll try and run this through  
>>>>>>>>>> the debug sometime later.
>>>>>>>>>
>>>>>>>>> The debug mode didn't tell me anything (apart from the EOCD  
>>>>>>>>> thingy).. how do i track this problem?
>>
>> Julian,
>>
>> I *might* have figured the error, here's the situation..
>>
>> Notify Senders Of Viruses = no
>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>>
>> But filename.rules.conf has been modified to use deny+delete  
>> rather than simply deny.
>> deny+delete     \.pif$ - -
>> deny+delete     \.scr$ - -
>> deny+delete     \.cpl$ - -
>>
>> Yet MailScanner (i think) tries to send out a notification for the  
>> policy violation and yes.. this time being sent from localhost it  
>> obviously doesn't show the IP address. The problem is it goes into  
>> an endless loop post this situation of trying to send out the  
>> notification. Any ideas?
>
> I don't understand your explanation. Are you saying that  
> MailScanner gets stuck in an endless loop?

Please use 4.50.10-1 instead. That contains the bugfix.
- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQEVAwUBQ89ivPw32o+k+q+hAQEttgf/Q2nvy93V0DOrdPwSvOAkyG/gLHbA5+6t
Veg42eQsX7E1YmKdjamAAoSWqn1RSl72Ql9ocWvlc0LSWlLLh97TGC00IhyLIs0R
52M+080JuhVy081J57lpTmTq8Xj9ADmOywqtz1NhnTT1i6nkUMjdJQs1v9d/sY4s
BF7pxWuVmY7bAnpv+DkJ6XV1jkpakTZgTD1aafaJW1IywC2jB2JtnazfSpAG5Z4Q
g+4aWwDWW9x/pBusVh9nS4BimRzuZ7paPo4Iy6FTZJgA4ZpzXLgBlmpSQxbGN413
n8WjMMGkWtT3ax+pTjVcHyDXzTNwLpo6vGhONaGo7UmxrI+lKwePcQ==
=kTFi
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list