Max Spam Check Size

Kash, Howard (Civ, ARL/CISD) hmkash at arl.army.mil
Fri Oct 13 16:28:38 IST 2006 

 
> So far this is working great.  One thing I have noticed, though, and
not
> sure if this is proper behavior or not.  An email comes in with a
> password protected zip file infected with Bagle.  It's size is about
> 250k.  Previously it would also have been detected as SPAM (and virus
> infected) and quarantined.  Now the spam checks are skipped and the
> messages are coming through with the attachment stripped, subject
> modified with the value of "Virus Subject Text" and body prepended
with
> the contents of "Inline HTML Warning".  Bagle is listed as a "Silent
> Virus" and "Still Deliver Silent Viruses" is set to no.  .zip files
are
> denied in our filename.rules.conf.  "Allow Password Protected
Archives"
> is no.  So it seems like the filename rule is trumping the silent
virus
> setting?  Should it?


After some more digging, it appears that this may be a bug in how silent
viruses are detected that was being masked by spam checks being run even
on large messages.  See the logs for the two messages below, both with
Bagle infected attachments.  The first messages is ~225k and the second
is ~85k.  Both are detected as password protected archives.  The first
only triggers the virus scanner on the <message-id>.header file, not on
the zip file itself, whereas the second triggers on both the
<message-id>.header file and the zip attachment.  And only the second
message is marked as silent.  Since the first message was over 150k it
was not detected as spam and the recipient received a stripped message
despite Bagle being listed as a silent virus.

Also notice the from address is blank in both of the "Infected message
<message-id>.header came from" lines.


Howard



Oct 13 08:48:35 mail MailScanner[9819]: Message 7683673CA7.A5EC8 from
201.58.242.33 (user at example.com) to example.com is too big for spam
checks (311952 > 150000 bytes)
Oct 13 08:49:08 mail MailScanner[9819]: Password-protected archive
(zupd02.zip) in 7683673CA7.A5EC8
Oct 13 08:49:09 mail MailScanner[9819]: /7683673CA7.A5EC8.header
Found the W32/Bagle!eml.gen virus !!!
Oct 13 08:49:09 mail MailScanner[9819]: Infected message
7683673CA7.A5EC8.header came from
Oct 13 08:49:09 mail MailScanner[9819]: Filename Checks: Denied file
name (7683673CA7.A5EC8 zupd02.zip)
Oct 13 08:49:09 mail MailScanner[9819]: HTML Img tag found in message
7683673CA7.A5EC8 from user at example.com
Oct 13 08:49:09 mail MailScanner[9819]: Saved infected "zupd02.zip" to
/var/spool/MailScanner/quarantine/20061013/7683673CA7.A5EC8
Oct 13 08:49:10 mail MailScanner[9819]: Requeue: 7683673CA7.A5EC8 to
173E173C67



Oct 13 03:03:36 mail MailScanner[26027]: Message 4744C212F67.DA7FF from
165.165.122.218 (user at example.com) to example.com is spam, SpamAssassin
(not cached, score=19.578, required 5, BAYES_50 1.00,
CUSTOM_RCVD_IN_MANY 3.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO
0.14, HTML_IMAGE_ONLY_04 3.60, HTML_MESSAGE 0.00, HTML_SHORT_LENGTH
1.57, MIME_HTML_ONLY 0.00, MSGID_SPAM_LETTERS 3.02,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
RAZOR2_CHECK 0.50, RCVD_IN_NJABL_DUL1.95, RCVD_IN_SORBS_DUL 2.05,
RM_rb_BODY 0.00, RM_rb_BREAK 0.00, RM_rb_HTML 0.00, SARE_GIF_ATTACH
0.75, SARE_GIF_STOX 0.00)
Oct 13 03:03:36 mail MailScanner[26027]: Spam Actions: message
4744C212F67.DA7FF actions are store
Oct 13 03:03:36 mail MailScanner[26027]: Password-protected archive
(Susanna.zip) in 4744C212F67.DA7FF
Oct 13 03:03:36 mail MailScanner[26027]: /4744C212F67.DA7FF.header
Found the W32/Bagle!eml.gen virus !!!
Oct 13 03:03:36 mail MailScanner[26027]: /4744C212F67.DA7FF/Susanna.zip
Found the W32/Bagle.fd!pwdzip virus !!!
Oct 13 03:03:36 mail MailScanner[26027]: Infected message
4744C212F67.DA7FF came from 165.165.122.218
Oct 13 03:03:36 mail MailScanner[26027]: Infected message
4744C212F67.DA7FF.header came from
Oct 13 03:03:36 mail MailScanner[26027]: Filename Checks: Denied file
name (4744C212F67.DA7FF Susanna.zip)
Oct 13 03:03:36 mail MailScanner[26027]: HTML Img tag found in message
4744C212F67.DA7FF from user at example.com
Oct 13 03:03:36 mail MailScanner[26027]: Saved infected "Susanna.zip" to
/var/spool/MailScanner/quarantine/20061013/4744C212F67.DA7FF
Oct 13 03:03:36 mail MailScanner[26027]: Viruses marked as silent:
/4744C212F67.DA7FF/Susanna.zip        Found the W32/Bagle.fd!pwdzip
virus !!!,Denied file name (Susanna.zip),

More information about the MailScanner mailing list