Found viruses but Uninfected Delivered

Randal, Phil prandal at herefordshire.gov.uk
Fri Dec 7 09:52:49 GMT 2007


See my and Michael Mansour's earlier posts.

This is a prime example of why "rpmforging" MailScanner and its support
modules is a bad idea.

Updates to both perl-MIME-tools and perl-Mail-Tools have broken
MailScanner.

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Takashi Asakawa
> Sent: 07 December 2007 02:43
> To: MailScanner discussion
> Subject: Re: Found viruses but Uninfected Delivered
> 
> Hi 
> 
> Don't work viruses block
> 
> MailScanner 4.66.2 + perl-MIME-tools 5.424-1
> 
> -------------------------------
> 
> Work normal movement
> 
> MailScanner 4.66.2 + perl-MIME-tools.noarch 5.420-1.el4.rf
> 
> 
> 
> 
> Best regards,
> 
> > Hi all
> > 
> > Found 1 viruses but Uninfected Delivered
> > 
> > ---------
> > MailScanner[21677]: /var/spool/MailScanner/incoming/21677/./
> > lB63ouC1021957.message: Worm.Antinny-9 FOUND 
> > MailScanner[21677]: Virus Scanning: ClamAV found 1 infections 
> > MailScanner[21677]: lB63ouC1021957.message=>[Subject: 
> N/A][Date: Thu, 6 
> > Dec 2007 12:50:56 +0900]=>(MIME 
> part)=>3.zip=>ne.scr:infected: Win32.
> > Worm.Antinny.AY 
> > MailScanner[21677]: Virus Scanning: Bitdefender found 1 infections 
> > MailScanner[21677]: 
> /var/spool/MailScanner/incoming/21677/lB63ouC1021957.
> > message->3.zip->ne.scr->(UPX)  Infection: W32/Worm.E 
> > MailScanner[21677]: Virus Scanning: F-Prot found virus W32/Worm.E 
> > MailScanner[21677]: Virus Scanning: F-Prot found 1 infections 
> > MailScanner[21677]: Virus Scanning: Avg found 1 infections 
> > MailScanner[21677]: Virus Scanning: Avast found 1 infections 
> > MailScanner[21677]: Virus Scanning: Norman found 1 infections 
> > MailScanner[21677]: Infected message 21677 came from  
> > MailScanner[21677]: Infected message 
> lB63ouC1021957.message=>[Subject: N 
> > came from  
> > MailScanner[21677]: Infected message lB63ouC1021957.message 
> came from  
> > MailScanner[21677]: Virus Scanning: Found 1 viruses 
> > MailScanner[21677]: Uninfected: Delivered 1 messages
> > ---------
> > 
> > My conf
> > ---------
> > %org-name% = 
> > %org-long-name% = 
> > %web-site% = 
> > %etc-dir% = /etc/MailScanner
> > %report-dir% = /etc/MailScanner/reports/en
> > %rules-dir% = /etc/MailScanner/rules
> > %mcp-dir% = /etc/MailScanner/mcp
> > Max Children = 5
> > Run As User = 
> > Run As Group = 
> > Queue Scan Interval = 6
> > Incoming Queue Dir = /var/spool/mqueue.in
> > Outgoing Queue Dir = /var/spool/mqueue
> > Incoming Work Dir = /var/spool/MailScanner/incoming
> > Quarantine Dir = /var/spool/MailScanner/quarantine
> > PID file = /var/run/MailScanner.pid
> > Restart Every = 7200
> > MTA = sendmail
> > Sendmail = /usr/sbin/sendmail
> > sendmail2 = /usr/sbin/sendmail
> > Incoming Work User =
> > Incoming Work Group =
> > Incoming Work Permissions = 0600
> > Quarantine User =
> > Quarantine Group =
> > Quarantine Permissions = 0600
> > Max Unscanned Bytes Per Scan = 100m
> > Max Unsafe Bytes Per Scan = 50m
> > Max Unscanned Messages Per Scan = 30
> > Max Unsafe Messages Per Scan = 30
> > Max Normal Queue Size = 800
> > Scan Messages = yes
> > Reject Message = no
> > Maximum Attachments Per Message = 200
> > Expand TNEF = yes
> > Use TNEF Contents = replace
> > Deliver Unparsable TNEF = no
> > TNEF Expander = /usr/bin/tnef --maxsize=100000000
> > TNEF Timeout = 120
> > File Command = /usr/bin/file
> > File Timeout = 20
> > Gunzip Command = /bin/gunzip
> > Gunzip Timeout = 50
> > Unrar Command = /usr/bin/unrar
> > Unrar Timeout = 50
> > Find UU-Encoded Files = no
> > Maximum Message Size = %rules-dir%/max.message.size.rules
> > Maximum Attachment Size = -1
> > Minimum Attachment Size = -1
> > Maximum Archive Depth = 2
> > Find Archives By Content = yes
> > Zip Attachments = no
> > Attachments Zip Filename = MessageAttachments.zip
> > Attachments Min Total Size To Zip = 100k
> > Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg 
> .jpeg .mpg .
> > mpe .mpeg .mp3 .rpm .htm .html .eml
> > Virus Scanning = yes
> > Virus Scanners = antivir clamav bitdefender f-prot avg avast norman
> > Virus Scanner Timeout = 300
> > Deliver Disinfected Files = no
> > Silent Viruses = HTML-IFrame All-Viruses
> > Still Deliver Silent Viruses = no
> > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
> > Block Encrypted Messages = no
> > Block Unencrypted Messages = no
> > Allow Password-Protected Archives = no
> > Check Filenames In Password-Protected Archives = yes
> > Allowed Sophos Error Messages =
> > Sophos IDE Dir = /opt/sophos-av/lib/sav
> > Sophos Lib Dir = /opt/sophos-av/lib
> > Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide
> > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/
> > local/share/clamav/*.cvd
> > ClamAVmodule Maximum Recursion Level = 8
> > ClamAVmodule Maximum Files = 1000
> > ClamAVmodule Maximum Compression Ratio = 250
> > Clamd Port = 3310
> > Clamd Socket = /tmp/clamd
> > Clamd Use Threads = no
> > ClamAV Full Message Scan = yes
> > Dangerous Content Scanning = yes
> > Allow Partial Messages = no
> > Allow External Message Bodies = no
> > Find Phishing Fraud = yes
> > Also Find Numeric Phishing = yes
> > Use Stricter Phishing Net = yes
> > Highlight Phishing Fraud = yes
> > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
> > Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf
> > Country Sub-Domains List = %etc-dir%/country.domains.conf
> > Allow IFrame Tags = disarm
> > Allow Form Tags = disarm
> > Allow Script Tags = disarm
> > Allow WebBugs = disarm
> > Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap
> > Known Web Bug Servers = msgtag.com
> > Web Bug Replacement = 
> http://www.sng.ecs.soton.ac.uk/mailscanner/images/1x1spacer.gif
> > Allow Object Codebase Tags = disarm
> > Convert Dangerous HTML To Text = no
> > Convert HTML To Text = no
> > Allow Filenames =
> > Deny Filenames =
> > Filename Rules = %etc-dir%/filename.rules.conf
> > Allow Filetypes =
> > Deny Filetypes =
> > Filetype Rules = %etc-dir%/filetype.rules.conf
> > Quarantine Infections = yes
> > Quarantine Silent Viruses = no
> > Quarantine Modified Body = no
> > Quarantine Whole Message = no
> > Quarantine Whole Messages As Queue Files = no
> > Keep Spam And MCP Archive Clean = no
> > Language Strings = %report-dir%/languages.conf
> > Rejection Report = %report-dir%/rejection.report.txt
> > Deleted Bad Content Message Report  = %report-dir%/deleted.content.
> > message.txt
> > Deleted Bad Filename Message Report = %report-dir%/deleted.filename.
> > message.txt
> > Deleted Virus Message Report        = 
> %report-dir%/deleted.virus.message.
> > txt
> > Deleted Size Message Report        = 
> %report-dir%/deleted.size.message.
> > txt
> > Stored Bad Content Message Report  = 
> %report-dir%/stored.content.message.
> > txt
> > Stored Bad Filename Message Report = %report-dir%/stored.filename.
> > message.txt
> > Stored Virus Message Report        = 
> %report-dir%/stored.virus.message.
> > txt
> > Stored Size Message Report        = 
> %report-dir%/stored.size.message.txt
> > Disinfected Report = %report-dir%/disinfected.report.txt
> > Inline HTML Signature = %report-dir%/inline.sig.html
> > Inline Text Signature = %report-dir%/inline.sig.txt
> > Signature Image Filename = %report-dir%/sig.jpg
> > Signature Image <img> Filename = signature.jpg
> > Inline HTML Warning = %report-dir%/inline.warning.html
> > Inline Text Warning = %report-dir%/inline.warning.txt
> > Sender Content Report        = 
> %report-dir%/sender.content.report.txt
> > Sender Error Report        = %report-dir%/sender.error.report.txt
> > Sender Bad Filename Report = %report-dir%/sender.filename.report.txt
> > Sender Virus Report        = %report-dir%/sender.virus.report.txt
> > Sender Size Report         = %report-dir%/sender.size.report.txt
> > Hide Incoming Work Dir = yes
> > Include Scanner Name In Reports = yes
> > Mail Header = X-%org-name%-MailScanner:
> > Spam Header = X-%org-name%-MailScanner-SpamCheck:
> > Spam Score Header = X-%org-name%-MailScanner-SpamScore:
> > Information Header = X-%org-name%-MailScanner-Information:
> > Add Envelope From Header = yes
> > Add Envelope To Header = no
> > Envelope From Header = X-%org-name%-MailScanner-From:
> > Envelope To Header = X-%org-name%-MailScanner-To:
> > Spam Score Character = s
> > SpamScore Number Instead Of Stars = no
> > Minimum Stars If On Spam List = 0
> > Clean Header Value       = Found to be clean
> > Infected Header Value    = Found to be infected
> > Disinfected Header Value = Disinfected
> > Information Header Value = Please contact the ISP for more 
> information
> > Detailed Spam Report = yes
> > Include Scores In SpamAssassin Report = yes
> > Always Include SpamAssassin Report = no
> > Multiple Headers = append
> > Hostname = the %org-name% ($HOSTNAME) MailScanner
> > Sign Messages Already Processed = no
> > Sign Clean Messages = yes
> > Attach Image To Signature = no
> > Attach Image To HTML Message Only = yes
> > Mark Infected Messages = yes
> > Mark Unscanned Messages = yes
> > Unscanned Header Value = Not scanned: please contact your 
> Internet E-
> > Mail Service Provider for details
> > Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2:
> > Deliver Cleaned Messages = yes
> > Notify Senders = yes
> > Notify Senders Of Viruses = no
> > Notify Senders Of Blocked Filenames Or Filetypes = yes
> > Notify Senders Of Blocked Size Attachments = no
> > Notify Senders Of Other Blocked Content = yes
> > Never Notify Senders Of Precedence = list bulk
> > Scanned Subject Text = {Scanned}
> > Virus Modify Subject = start
> > Virus Subject Text = {Virus?}
> > Filename Modify Subject = start
> > Filename Subject Text = {Filename?}
> > Content Modify Subject = start
> > Content Subject Text = {Dangerous Content?}
> > Size Modify Subject = start
> > Size Subject Text = {Size}
> > Disarmed Modify Subject = start
> > Disarmed Subject Text = {Disarmed}
> > Phishing Modify Subject = no
> > Phishing Subject Text = {Fraud?}
> > Spam Modify Subject = start
> > Spam Subject Text = {Spam?}
> > High Scoring Spam Modify Subject = start
> > High Scoring Spam Subject Text = {Spam?}
> > Warning Is Attachment = yes
> > Attachment Warning Filename = %org-name%-Attachment-Warning.txt
> > Attachment Encoding Charset = ISO-8859-1
> > Archive Mail =
> > Send Notices = yes
> > Notices Include Full Headers = yes
> > Hide Incoming Work Dir in Notices = no
> > Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.
> > mailscanner.info
> > Notices From = MailScanner
> > Notices To = postmaster
> > Local Postmaster = postmaster
> > Spam List Definitions = %etc-dir%/spam.lists.conf
> > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf
> > Spam Checks = yes
> > Spam Domain List =
> > Spam Lists To Be Spam = 1
> > Spam Lists To Reach High Score = 3
> > Spam List Timeout = 10
> > Max Spam List Timeouts = 7
> > Spam List Timeouts History = 10
> > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules
> > Is Definitely Spam = no
> > Definite Spam Is High Scoring = no
> > Ignore Spam Whitelist If Recipients Exceed = 20
> > Max Spam Check Size = 200k
> > Use Watermarking = no
> > Add Watermark = yes
> > Check Watermarks With No Sender = yes
> > Treat Invalid Watermarks With No Sender as Spam = nothing
> > Check Watermarks To Skip Spam Checks = yes
> > Watermark Secret = %org-name%-Secret
> > Watermark Lifetime = 604800
> > Watermark Header = X-%org-name%-MailScanner-Watermark:
> > Use SpamAssassin = yes
> > Max SpamAssassin Size = 200k
> > Required SpamAssassin Score = 6
> > High SpamAssassin Score = 10
> > SpamAssassin Auto Whitelist = yes
> > SpamAssassin Timeout = 75
> > Max SpamAssassin Timeouts = 10
> > SpamAssassin Timeouts History = 30
> > Check SpamAssassin If On Spam List = yes
> > Include Binary Attachments In SpamAssassin = no
> > Spam Score = yes
> > Cache SpamAssassin Results = yes
> > SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/
> > SpamAssassin.cache.db
> > Rebuild Bayes Every = 0
> > Wait During Bayes Rebuild = no
> > Use Custom Spam Scanner = no
> > Max Custom Spam Scanner Size = 20k
> > Custom Spam Scanner Timeout = 20
> > Max Custom Spam Scanner Timeouts = 10
> > Custom Spam Scanner Timeout History = 20
> > Spam Actions = deliver header "X-Spam-Status: Yes"
> > High Scoring Spam Actions = deliver header "X-Spam-Status: Yes"
> > Non Spam Actions = deliver header "X-Spam-Status: No"
> > SpamAssassin Rule Actions =
> > Sender Spam Report         = %report-dir%/sender.spam.report.txt
> > Sender Spam List Report    = %report-dir%/sender.spam.rbl.report.txt
> > Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt
> > Inline Spam Warning = %report-dir%/inline.spam.warning.txt
> > Recipient Spam Report = %report-dir%/recipient.spam.report.txt
> > Enable Spam Bounce = %rules-dir%/bounce.rules
> > Bounce Spam As Attachment = no
> > Syslog Facility = mail
> > Log Speed = no
> > Log Spam = no
> > Log Non Spam = no
> > Log Permitted Filenames = no
> > Log Permitted Filetypes = no
> > Log Silent Viruses = no
> > Log Dangerous HTML Tags = no
> > SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/
> > SpamAssassin-Temp
> > SpamAssassin User State Dir =
> > SpamAssassin Install Prefix =
> > SpamAssassin Site Rules Dir = /etc/mail/spamassassin
> > SpamAssassin Local Rules Dir =
> > SpamAssassin Default Rules Dir =
> > MCP Checks = no
> > First Check = spam
> > MCP Required SpamAssassin Score = 1
> > MCP High SpamAssassin Score = 10
> > MCP Error Score = 1
> > MCP Header = X-%org-name%-MailScanner-MCPCheck:
> > Non MCP Actions = deliver
> > MCP Actions = deliver
> > High Scoring MCP Actions = deliver
> > Bounce MCP As Attachment = no
> > MCP Modify Subject = start
> > MCP Subject Text = {MCP?}
> > High Scoring MCP Modify Subject = start
> > High Scoring MCP Subject Text = {MCP?}
> > Is Definitely MCP = no
> > Is Definitely Not MCP = no
> > Definite MCP Is High Scoring = no
> > Always Include MCP Report = no
> > Detailed MCP Report = yes
> > Include Scores In MCP Report = no
> > Log MCP = no
> > MCP Max SpamAssassin Timeouts = 20
> > MCP Max SpamAssassin Size = 100k
> > MCP SpamAssassin Timeout = 10
> > MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
> > MCP SpamAssassin User State Dir =
> > MCP SpamAssassin Local Rules Dir = %mcp-dir%
> > MCP SpamAssassin Default Rules Dir = %mcp-dir%
> > MCP SpamAssassin Install Prefix = %mcp-dir%
> > Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
> > Sender MCP Report = %report-dir%/sender.mcp.report.txt
> > Use Default Rules With Multiple Recipients = no
> > Spam Score Number Format = %d
> > MailScanner Version Number = 4.66.1
> > SpamAssassin Cache Timings = 1800,300,10800,172800,600
> > Debug = no
> > Debug SpamAssassin = no
> > Run In Foreground = no
> > Always Looked Up Last = no
> > Always Looked Up Last After Batch = no
> > Deliver In Background = yes
> > Delivery Method = batch
> > Split Exim Spool = no
> > Lockfile Dir = /tmp
> > Custom Functions Dir = 
> /usr/lib/MailScanner/MailScanner/CustomFunctions
> > Lock Type = 
> > Syslog Socket Type =
> > Minimum Code Status = supported
> > 
> > 
> > -- 
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > Before posting, read http://wiki.mailscanner.info/posting
> > 
> > Support MailScanner development - buy the book off the website! 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 


More information about the MailScanner mailing list