MailScanner is ignoring some ClamAV 'viruses' from NDB signature databases

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Tue Feb 20 09:50:20 CET 2007 

I recently started using some of the extra .NDB/.HDB signature databases
for ClamAV from Sanesecurity - http://www.sanesecurity.com/clamav/.

In some cases MailScanner is recognising a 'virus' detected by these but
is still delivering the message rather than dropping it silently. All
the log entries for messages behaving this way appear to have a
corrupted path name in the virus "FOUND" log record from MailScanner:

Feb 20 08:00:07 cheviot1 MailScanner[26921]:
/var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header:
Email.Spam.Gen103.Sanesecurity.07011703 FOUND

[the faulty part above is "/l1K7xWrE017195.header:"]

The "...MailScanner[12345]: Infected message..." log record also appears
to be corrupt and has lost information:

Feb 20 08:00:08 cheviot1 MailScanner[26921]: Infected message
l1K7xWrE017195.header came from

[missing the IP address after the "from"]

A correctly formed virus "FOUND" log record from MailScanner should look
like:

Feb 20 08:26:45 cheviot1 MailScanner[27169]:
/var/spool/MailScanner/incoming/27169/./l1K8QOTB029479/msg-27169-879.htm
l: Html.Img.Gen013.Sanesecurity.06112900 FOUND

and the "...MailScanner[12345]: Infected message..." log record should
look like:

Feb 20 08:26:46 cheviot1 MailScanner[27169]: Infected message
l1K8QOTB029479 came from 77.124.14.204

The fault occurs with MailScanner-4.57.6-1 running with either
ClamAV-0.87.7 or ClamAV-0.90. 

Appended are the full set of log records for: (1) a message whose
handling shows the bug, and (2) a message whose handling was as
expected.

Quentin Campbell
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           Newcastle University,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------


---- extracts from the Sendmail logs

Below are the log records for a 'virus' message that should have been
dropped silently:

Feb 20 07:59:49 cheviot1 sendmail[17195]: l1K7xWrE017195:
from=<kapprentice at sbcglobal.net>, size=1500, class=0, nrcpts=1,
msgid=<432422272.75323578912331 at thebat.net>, proto=ESMTP, daemon=MTA,
relay=BT-LOADED-PPP15.BTI.NET.PH [203.115.176.15] (may be forged)
Feb 20 07:59:49 cheviot1 sendmail[17195]: l1K7xWrE017195:
to=<XXX.YYY at ncl.ac.uk>, delay=00:00:04, mailer=esmtp, pri=31500,
stat=queued
Feb 20 07:59:57 cheviot1 MailScanner[26921]: Message l1K7xWrE017195 from
203.115.176.15 (kapprentice at sbcglobal.net) to ncl.ac.uk is spam,
SpamAssassin (not cached, score=6.732, required 6, autolearn=disabled,
DATE_IN_PAST_96_XX 1.57, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, SARE_LWHUGE 1.00,
SARE_LWSYMFMT 1.66)
Feb 20 08:00:04 cheviot1 MailScanner[26921]: Spam Actions: message
l1K7xWrE017195 actions are attachment,deliver
Feb 20 08:00:07 cheviot1 MailScanner[26921]:
/var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header:
Email.Spam.Gen103.Sanesecurity.07011703 FOUND
Feb 20 08:00:08 cheviot1 MailScanner[26921]: Infected message
l1K7xWrE017195.header came from
Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195: SMTP outgoing
connect on cheviot1.ncl.ac.uk
Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195:
to=<XXX.YYY at ncl.ac.uk>, delay=00:00:23, xdelay=00:00:00, mailer=esmtp,
pri=121500, relay=cyrus.ncl.ac.uk. [128.240.233.238], dsn=2.0.0,
stat=Sent (l1K808jg011667 Message accepted for delivery)
Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195: done;
delay=00:00:23, ntries=1

----

Below are the log records for a 'virus' message that was correctly
handled:

Feb 20 08:26:31 cheviot1 sendmail[29479]: l1K8QOTB029479:
from=<l.a.hogarth at ncl.ac.uk>, size=13226, class=0, nrcpts=1,
msgid=<000901c754c8$cdeb22c0$017fe9fc at usyvimkq>, proto=ESMTP,
daemon=MTA, relay=IGLD-77-124-14-204.inter.net.il [77.124.14.204] (may
be forged)
Feb 20 08:26:31 cheviot1 sendmail[29479]: l1K8QOTB029479:
to=<AAA.BBB at ncl.ac.uk>, delay=00:00:02, mailer=esmtp, pri=43226,
stat=queued
Feb 20 08:26:33 cheviot1 MailScanner[27169]: Message l1K8QOTB029479 from
77.124.14.204 (AAA.BBB at ncl.ac.uk) is whitelisted
Feb 20 08:26:45 cheviot1 MailScanner[27169]:
/var/spool/MailScanner/incoming/27169/./l1K8QOTB029479/msg-27169-879.htm
l: Html.Img.Gen013.Sanesecurity.06112900 FOUND
Feb 20 08:26:46 cheviot1 MailScanner[27169]: Infected message
l1K8QOTB029479 came from 77.124.14.204
Feb 20 08:26:46 cheviot1 MailScanner[27169]: HTML Img tag found in
message l1K8QOTB029479 from AAA.BBB at ncl.ac.uk

More information about the MailScanner mailing list