Infected message slipped through -- curious warning message

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jun 14 19:47:06 IST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please can you upgrade to the latest version and re-test.
I haven't had any reports of problems from elsewhere, which points to a 
local problem at your site.

Ohlenmacher, Olaf wrote:
> Hello,
> our customer reported that he received an infected email. This email was
> scanned from MailScanner (Version 4.52.2 on RedHat EL ES 3) with Sophos
> and ClamAV (Version 0.88.2). This email was infected by
> "Worm.SomeFool.X-msg" (identified by ClamAV). I browsed through the logs
> and found a warning saying "Other Checks: Found 1 problems" for the ID
> of this email (see below). 
>
> On this i looked for this warning and see it clutering my logs. So i
> suspect that many other viruses were not identified and email not
> desinfected.
>
> I looked through Changelog and the last two months of the mailing lists
> postings but found nothing that seems to be appropriate.
>
> Is this failure caused by a known bug or is it caused by configuration
> error?
>
> Help is appreciated! Any ideas?!
>
> Regards,
> 	Olf
>
> Logs for MailScanner Batch with 2 Emails: 
> * k5C7P8Vo007635 (unidentified Worm.SomeFool.X-msg) and 
> * k5C7P8P0007637 (identified W32/Zafi-B)
>
> ---  schnipp ---
> Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: Message k5C7P8Vo007635
> from 193.238.104.252 (wwwrun at server27.serverflex.de) to blinker.de is
> spam, spamcop.n
> et, SpamAssassin (score=-4.199, required 6, autolearn=not spam,
> ALL_TRUSTED -1.80, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20)
> Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: SpamAssassin cache hit
> for message k5C7P8P0007637
> Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: Spam Checks: Found 1
> spam messages
> Jun 12 09:25:16 jahrverl-li01 MailScanner[32026]: Spam Actions: message
> k5C7P8Vo007635 actions are deliver
> Jun 12 09:25:17 jahrverl-li01 MailScanner[32026]: Virus and Content
> Scanning: Starting
> Jun 12 09:25:19 jahrverl-li01 MailScanner[32026]: Virus Scanning: Sophos
> found 1 infections
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]:
> /data/spool/MailScanner/incoming/32026/./k5C7P8P0007637/link.flashcard.d
> e.viewcard34.php.2672aB.pif: Worm.Za
> fi.B FOUND
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Virus Scanning: ClamAV
> found 1 infections
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Infected message
> k5C7P8P0007637 came from 195.56.241.94
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Virus Scanning: Found
> 1 viruses
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Filename Checks:
> Possible MS-Dos program shortcut attack (k5C7P8P0007637
> link.flashcard.de.viewcard34.php.26
> 72aB.pif)Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Other Checks:
> Found 1 problems
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Viruses marked as
> silent: Sophos: >>> Virus 'W32/Zafi-B' found in file
> ./k5C7P8P0007637/link.flashcard.de.vi
> ewcard34.php.2672aB.pif,ClamAV:
> link.flashcard.de.viewcard34.php.2672aB.pif contains Worm.Zafi.B
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Uninfected: Delivered
> 1 messages
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Silent: Delivered 1
> messages containing silent viruses
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Notices: Warned about
> 1 messages
> Jun 12 09:25:20 jahrverl-li01 MailScanner[32026]: Batch (2 messages)
> processed in 10.09 seconds
> ---  schnapp  ---
>
>
> *************************************************************************************
> The message is intended for the named addressee only and may not be disclosed to or used by anyone else, nor may it be copied in any way. 
>
> The contents of this message and its attachments are confidential and may also be subject to legal privilege.  If you are not the named addressee and/or have received this message in error, please advise us by e-mailing security at colt.net and delete the message and any attachments without retaining any copies. 
>
> Internet communications are not secure and COLT does not accept responsibility for this message, its contents nor responsibility for any viruses. 
>
> No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates ("COLT") and any other party by email Communications unless expressly agreed in writing with such other party.  
>
> Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotional emails. For more information refer to www.colt.net or contact us on +44(0)20 7390 3900.
>
>   

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQA/AwUBRJBZsxH2WUcUFbZUEQLgBgCg+ueJ9Z3lOj3RUh4jLecVBfXDG1IAnjsN
IP8sPMEjnfoMp3/x1GMpX7m9
=TjLF
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the MailScanner mailing list