MailScanner is ignoring some ClamAV 'viruses' from NDBsignaturedatabases

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Wed Feb 21 13:47:06 CET 2007 

Howard

Thanks for that info. It looks like we are seeing the same behaviour. It
thus appears to be a long standing bug in MailScanner. A pity that
Julian won't/cant' fix it.

In our case I suspect a particular collection of new ClamAV signatures I
am using _only_ operates on the message headers and not the message body
and attachments. This is probably why the problem has a higher
visability now because we have always tagged and delivered spam
messages, rather than quarantining them, and I have never noticed this
before.

Please excuse my comment about corrupt pathnames in log files. Of course
the logged pathname,
/var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header, was
correct and I should have realised that. :-(

Quentin

>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info 
>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>Of Kash, Howard (Civ, ARL/CISD)
>Sent: 21 February 2007 01:09
>To: MailScanner discussion; MailScanner discussion
>Subject: RE: MailScanner is ignoring some ClamAV 'viruses' 
>from NDBsignaturedatabases
>
>I've reported the same problem multiple times before with 
>McAfee (both on list an in private):
> 
>http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066261
.html
> 
>Seems that if a silent virus is only detected in the .header 
>file and not in the attachment itself, it is not properly 
>flagged as silent.  This becomes much more prevalent if you 
>set "Max Spam Check Size" to a relatively low value (say 150k) 
>since larger virus emails which are typically also blocked as 
>spam start getting through (the virus doesn't get through, but 
>the disinfected message does, even though it should have been 
>dropped as a silent virus).
> 
> 
>Howard
> 
>
>________________________________
>
>From: mailscanner-bounces at lists.mailscanner.info on behalf of 
>Quentin Campbell
>Sent: Tue 2/20/2007 3:50 AM
>To: MailScanner discussion
>Subject: MailScanner is ignoring some ClamAV 'viruses' from 
>NDB signaturedatabases
>
>
>
>I recently started using some of the extra .NDB/.HDB signature 
>databases
>for ClamAV from Sanesecurity - http://www.sanesecurity.com/clamav/.
>
>In some cases MailScanner is recognising a 'virus' detected by 
>these but
>is still delivering the message rather than dropping it silently. All
>the log entries for messages behaving this way appear to have a
>corrupted path name in the virus "FOUND" log record from MailScanner:
>
>Feb 20 08:00:07 cheviot1 MailScanner[26921]:
>/var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header:
>Email.Spam.Gen103.Sanesecurity.07011703 FOUND
>
>[the faulty part above is "/l1K7xWrE017195.header:"]
>
>The "...MailScanner[12345]: Infected message..." log record 
>also appears
>to be corrupt and has lost information:
>
>Feb 20 08:00:08 cheviot1 MailScanner[26921]: Infected message
>l1K7xWrE017195.header came from
>
>[missing the IP address after the "from"]
>
>A correctly formed virus "FOUND" log record from MailScanner 
>should look
>like:
>
>Feb 20 08:26:45 cheviot1 MailScanner[27169]:
>/var/spool/MailScanner/incoming/27169/./l1K8QOTB029479/msg-2716
>9-879.htm
>l: Html.Img.Gen013.Sanesecurity.06112900 FOUND
>
>and the "...MailScanner[12345]: Infected message..." log record should
>look like:
>
>Feb 20 08:26:46 cheviot1 MailScanner[27169]: Infected message
>l1K8QOTB029479 came from 77.124.14.204
>
>The fault occurs with MailScanner-4.57.6-1 running with either
>ClamAV-0.87.7 or ClamAV-0.90.
>
>Appended are the full set of log records for: (1) a message whose
>handling shows the bug, and (2) a message whose handling was as
>expected.
>
>Quentin Campbell
>---
>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                           Newcastle University,
>                           Newcastle upon Tyne,
>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>------------------------------------------------------------------
>
>
>---- extracts from the Sendmail logs
>
>Below are the log records for a 'virus' message that should have been
>dropped silently:
>
>Feb 20 07:59:49 cheviot1 sendmail[17195]: l1K7xWrE017195:
>from=<kapprentice at sbcglobal.net>, size=1500, class=0, nrcpts=1,
>msgid=<432422272.75323578912331 at thebat.net>, proto=ESMTP, daemon=MTA,
>relay=BT-LOADED-PPP15.BTI.NET.PH [203.115.176.15] (may be forged)
>Feb 20 07:59:49 cheviot1 sendmail[17195]: l1K7xWrE017195:
>to=<XXX.YYY at ncl.ac.uk>, delay=00:00:04, mailer=esmtp, pri=31500,
>stat=queued
>Feb 20 07:59:57 cheviot1 MailScanner[26921]: Message 
>l1K7xWrE017195 from
>203.115.176.15 (kapprentice at sbcglobal.net) to ncl.ac.uk is spam,
>SpamAssassin (not cached, score=6.732, required 6, autolearn=disabled,
>DATE_IN_PAST_96_XX 1.57, RAZOR2_CF_RANGE_51_100 0.50,
>RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, SARE_LWHUGE 1.00,
>SARE_LWSYMFMT 1.66)
>Feb 20 08:00:04 cheviot1 MailScanner[26921]: Spam Actions: message
>l1K7xWrE017195 actions are attachment,deliver
>Feb 20 08:00:07 cheviot1 MailScanner[26921]:
>/var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header:
>Email.Spam.Gen103.Sanesecurity.07011703 FOUND
>Feb 20 08:00:08 cheviot1 MailScanner[26921]: Infected message
>l1K7xWrE017195.header came from
>Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195: SMTP outgoing
>connect on cheviot1.ncl.ac.uk
>Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195:
>to=<XXX.YYY at ncl.ac.uk>, delay=00:00:23, xdelay=00:00:00, mailer=esmtp,
>pri=121500, relay=cyrus.ncl.ac.uk. [128.240.233.238], dsn=2.0.0,
>stat=Sent (l1K808jg011667 Message accepted for delivery)
>Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195: done;
>delay=00:00:23, ntries=1
>
>----
>
>Below are the log records for a 'virus' message that was correctly
>handled:
>
>Feb 20 08:26:31 cheviot1 sendmail[29479]: l1K8QOTB029479:
>from=<l.a.hogarth at ncl.ac.uk>, size=13226, class=0, nrcpts=1,
>msgid=<000901c754c8$cdeb22c0$017fe9fc at usyvimkq>, proto=ESMTP,
>daemon=MTA, relay=IGLD-77-124-14-204.inter.net.il [77.124.14.204] (may
>be forged)
>Feb 20 08:26:31 cheviot1 sendmail[29479]: l1K8QOTB029479:
>to=<AAA.BBB at ncl.ac.uk>, delay=00:00:02, mailer=esmtp, pri=43226,
>stat=queued
>Feb 20 08:26:33 cheviot1 MailScanner[27169]: Message 
>l1K8QOTB029479 from
>77.124.14.204 (AAA.BBB at ncl.ac.uk) is whitelisted
>Feb 20 08:26:45 cheviot1 MailScanner[27169]:
>/var/spool/MailScanner/incoming/27169/./l1K8QOTB029479/msg-2716
>9-879.htm
>l: Html.Img.Gen013.Sanesecurity.06112900 FOUND
>Feb 20 08:26:46 cheviot1 MailScanner[27169]: Infected message
>l1K8QOTB029479 came from 77.124.14.204
>Feb 20 08:26:46 cheviot1 MailScanner[27169]: HTML Img tag found in
>message l1K8QOTB029479 from AAA.BBB at ncl.ac.uk
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
>
>
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 
>

More information about the MailScanner mailing list