Virus still being picked up an hour later

Jim Holland mailscanner at mango.zw
Thu Jan 19 14:18:02 GMT 2006 

Hi

On Thu, 19 Jan 2006, Dhawal Doshy wrote:

> > I have a problem with mailscanner where it doesnt seem to be getting rid of a virus from the filesystem once its found.
> > Heres an example:
> > Below is the first instance.
> > Jan 19 12:35:22 proxy2 MailScanner[27476]: /var/spool/MailScanner/incoming/27476/./6BCB544E5D5.ED322/eBook.PIF: Worm.VB-8 FOUND
> > 
> > Sometimes (but not every time) mailscanner also picks up the bad filename.
> > Jan 19 12:35:22 proxy2 MailScanner[27476]: Filename Checks: Possible MS-Dos program shortcut attack (6BCB544E5D5.ED322 eBook.PIF)
> > 
> > As of this moment, mailscanner is still picking up this same instance (1 hour later)
> > Jan 19 13:35:04 proxy2 MailScanner[27476]: /var/spool/MailScanner/incoming/27476/./6BCB544E5D5.ED322/eBook.PIF: Worm.VB-8 FOUND
> > 
> > Any idea why this might be happening?
> 
> This is precisely what i have been unsuccessfully trying to convey all 
> evening to Julian.. somehow no else seemed to be in this situation..
> 
> Here's what i observed.. all files (even legit ones) continue to be 
> lying in the MailScanner incoming directory (within their respective PID 
> directory) and do NOT get deleted post batch processing.. as a result 
> MailScanner keeps on checking them again and again..
> 
> I am at a loss to take it any forward, since i haven't slept all night 
> long trying to figure out the reason.. :-(

I come across this problem every couple of months, but it is generally
only a single batch of messages that keeps get processed over and over
again.  I have always found that if I start by archiving the first message
in the batch, then wait for the rest to be reprocessed, then archiving the
next one if the problem continues, it will eventually sort itself out.  
Oddly enough the archived message can sometimes be processed perfectly by
simply putting it back in the queue.  At other times a message is
apparently unprocessable and then I just check it manually and if OK I
dump it into mqueue, bypassing MailScanner.

I am using sendmail 8.13.1 and MailScanner-4.45.4-1 (definitely time to 
upgrade - I had just been waiting for latest beta to pass all user tests).

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list