Infected message slipped through -- curious warning message

Ohlenmacher, Olaf Olaf.Ohlenmacher at colt.net
Wed Jun 14 18:26:23 IST 2006 

Hello,
our customer reported that he received an infected email. This email was
scanned from MailScanner (Version 4.52.2 on RedHat EL ES 3) with Sophos
and ClamAV (Version 0.88.2). This email was infected by
"Worm.SomeFool.X-msg" (identified by ClamAV). I browsed through the logs
and found a warning saying "Other Checks: Found 1 problems" for the ID
of this email (see below). 

On this i looked for this warning and see it clutering my logs. So i
suspect that many other viruses were not identified and email not
desinfected.

I looked through Changelog and the last two months of the mailing lists
postings but found nothing that seems to be appropriate.

Is this failure caused by a known bug or is it caused by configuration
error?

Help is appreciated! Any ideas?!

Regards,
	Olf

Logs for MailScanner Batch with 2 Emails: 
* k5C7P8Vo007635 (unidentified Worm.SomeFool.X-msg) and 
* k5C7P8P0007637 (identified W32/Zafi-B)

---  schnipp ---
Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: Message k5C7P8Vo007635
from 193.238.104.252 (wwwrun at server27.serverflex.de) to blinker.de is
spam, spamcop.n
et, SpamAssassin (score=-4.199, required 6, autolearn=not spam,
ALL_TRUSTED -1.80, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20)
Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: SpamAssassin cache hit
for message k5C7P8P0007637
Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: Spam Checks: Found 1
spam messages
Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: Spam Actions: message
k5C7P8Vo007635 actions are deliver
Jun 12 09:25:17 jahrverl-li01 MailScanner[32026]: Virus and Content
Scanning: Starting
Jun 12 09:25:19 jahrverl-li01 MailScanner[32026]: Virus Scanning: Sophos
found 1 infections
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]:
/data/spool/MailScanner/incoming/32026/./k5C7P8P0007637/link.flashcard.d
e.viewcard34.php.2672aB.pif: Worm.Za
fi.B FOUND
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Virus Scanning: ClamAV
found 1 infections
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Infected message
k5C7P8P0007637 came from 195.56.241.94
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Virus Scanning: Found
1 viruses
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Filename Checks:
Possible MS-Dos program shortcut attack (k5C7P8P0007637
link.flashcard.de.viewcard34.php.26
72aB.pif)Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Other Checks:
Found 1 problems
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Viruses marked as
silent: Sophos: >>> Virus 'W32/Zafi-B' found in file
./k5C7P8P0007637/link.flashcard.de.vi
ewcard34.php.2672aB.pif,ClamAV:
link.flashcard.de.viewcard34.php.2672aB.pif contains Worm.Zafi.B
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Uninfected: Delivered
1 messages
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Silent: Delivered 1
messages containing silent viruses
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Notices: Warned about
1 messages
Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Batch (2 messages)
processed in 10.09 seconds
---  schnapp  ---


*************************************************************************************
The message is intended for the named addressee only and may not be disclosed to or used by anyone else, nor may it be copied in any way. 

The contents of this message and its attachments are confidential and may also be subject to legal privilege.  If you are not the named addressee and/or have received this message in error, please advise us by e-mailing security at colt.net and delete the message and any attachments without retaining any copies. 

Internet communications are not secure and COLT does not accept responsibility for this message, its contents nor responsibility for any viruses. 

No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates ("COLT") and any other party by email Communications unless expressly agreed in writing with such other party.  

Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotional emails. For more information refer to www.colt.net or contact us on +44(0)20 7390 3900.

More information about the MailScanner mailing list