Virus not marked as high-spam

Scott Silva ssilva at sgvwater.com
Mon Jan 22 20:02:20 CET 2007


Dave spake the following on 1/20/2007 10:21 AM:
> I've had quite a few emails in the last couple of days that were marked as
> having  'Virus (Trojan.Downloader-648)', and blocked by clamav, bitdefender and
> mailscanner:
> ClamAV: Full Text.exe contains Trojan.Downloader-648
> Bitdefender: Found virus Trojan.Peed.A in file Full Text.exe
> MailScanner: Executable DOS/Windows programs are dangerous in email
> (Full Text.exe)
> No programs allowed (Full Text.exe)
> 
> All of these have been marked as high-spam and blocked completely, which is
> good. I had 1 this morning though that was marked only as spam, and therefore
> sent a pickup notice to the end-user, even though clamav & bitdefender had found
> the virus in it and blocked the message.
> 
> These messages all have a variation of news items:
> Sadam Hussein alive!
> Chinese missile shot down Russian aircraft
> President of Russia Putin dead.
> Hugo Chavez dead. (which is the one that slipped through)
> 
> Any ideas how to make sure that doesn't happen?
> 
This was a new virus variant that hit on Friday. I got one on my spamtrap
account and forwarded copies to the services I use. I ran it through
virustotal.com, and it only hit 3 of the 20 or so scanners there.

Mine hit on the no exe rule, or I wouldn't have caught it either. The safest
thing is to only allow executables inside of a zip file, or only allow them to
be released by an admin.
You could also run your virus scanner over your quarantine from cron. That way
a late update might catch something that passed through earlier.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!



More information about the MailScanner mailing list