Warning: MS log record format changes in 4.65.1 BETA
Gareth
list-mailscanner at linguaphone.com
Wed Oct 31 13:58:14 GMT 2007
That was introduced in 4.63 I believe.
On Wed, 2007-10-31 at 13:45, Quentin Campbell wrote:
> Julian
>
> It appears that 4.65.1-1 changes the format of log records for ClamAV
> Module. I suspect this will catch out log processing scripts.
>
> In 4.62.9-2 and earlier I saw records similar to:
>
> Oct 27 16:58:31 cheviot4 MailScanner[12044]: INFECTED::
> MSRBL-Images/3-0-whep:: ./l9RFw72q032134/pills.gif
>
> Oct 27 17:10:20 cheviot4 MailScanner[3195]: INFECTED::
> Email.Phishing.RB-1802:: ./l9RG9t87003928/
>
> Oct 27 17:10:41 cheviot4 MailScanner[3215]: INFECTED::
> Html.Phishing.Bank.Sanesecurity.06030707:: ./l9RGAQeq004535/
>
> or going back a few months
>
> Jun 11 12:12:59 cheviot4 MailScanner[28551]: ClamAVModule::INFECTED::
> Worm.Mydoom.M:: ./l5BBChGt030131/ATTACHMENT.SCR
>
> With 4.65.1-1 BETA, I now see the last few fields moved right one place
> because the phrase "ClamAVModule::INFECTED::" is now split as in
>
> Oct 31 11:37:06 cheviot2 MailScanner[9758]: ClamAV Module::INFECTED::
> Phishing.Heuristics.Email.SpoofedDomain:: ./l9VBaefJ002190/
>
> Oct 31 11:07:55 cheviot4 MailScanner[30204]: ClamAV Module::INFECTED::
> Worm.Bagle.GV:: ./l9VB7b0K018893/latest_price31-Oct-2007.zip
>
> Quentin
>
>
> >-----Original Message-----
> >From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> >bounces at lists.mailscanner.info] On Behalf Of Quentin Campbell
> >Sent: 31 October 2007 11:29
> >To: MailScanner discussion
> >Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
> >
> >Gareth
> >
> >I have upgraded to MS BETA 4.65.1-1 one of the 2 hosts that were
> >generating the "INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
> >...." records.
> >
> >In place of the
> >
> >Oct 31 10:12:37 cheviot2 MailScanner[31346]: INFECTED::
> >Phishing.Heuristics.Email.SpoofedDomain:: ./l9VACFW4011070/
> >
> >records I now get (although fewer of them so far)
> >
> >Oct 31 11:01:16 cheviot2 MailScanner[18379]: ClamAV Module::INFECTED::
> >Phishing.Heuristics.Email.SpoofedDomain:: ./l9VB0vFK005532/
> >
> >records. I assume this means that I am getting far fewer false
> positives
> >now?
> >
> >Quentin
> >
> >>-----Original Message-----
> >>From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> >>bounces at lists.mailscanner.info] On Behalf Of Gareth
> >>Sent: 31 October 2007 10:27
> >>To: MailScanner discussion
> >>Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
> >>
> >>The fault is equivilent to scanning mail with the
> >>--no-phishing-restrictedscan clamscan option. The update to
> mailscanner
> >>disabled this option as the author of the clamavmodule made an error
> >and
> >>had this option enabled as the default option.
> >>
> >>I am not 100% sure whether the mailscanner fix came out in 4.62 or
> 4.63
> >>but I believe it was the latter.
> >>
> >>On Wed, 2007-10-31 at 10:11, Quentin Campbell wrote:
> >>> Gareth
> >>>
> >>> If that is the problem is does not account for why I only see it on
> 2
> >>> out of 8 otherwise identical MX hosts, all running with the same
> >>version
> >>> of MS, ClamAV-Module, ndb files in /usr/local/share/clamav, etc.
> >>>
> >>> I will install the latest BETA version of MS on one of the 2
> machines
> >>> and see what happens.
> >>>
> >>> Thanks
> >>>
> >>> Quentin
> >>>
> >>> >-----Original Message-----
> >>> >From: mailscanner-bounces at lists.mailscanner.info
> >[mailto:mailscanner-
> >>> >bounces at lists.mailscanner.info] On Behalf Of Gareth
> >>> >Sent: 31 October 2007 09:23
> >>> >To: MailScanner discussion
> >>> >Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
> >>....
> >>> >
> >>> >Its caused by a new feature in clamav with an incorrect default
> >>> setting.
> >>> >You need to either update MailScanner to include the new scanning
> >>> option
> >>> >or switch to clamd.
> >>> >
> >>> >On Wed, 2007-10-31 at 08:22, Quentin Campbell wrote:
> >>> >> I am running eight mail gateways with MailScanner-4.62.9-2 using
> >>> >'clamavmodule' (Mail-ClamAV-0.20 & ClamAV 0.91.2).
> >>> >>
> >>> >> However only seeing "INFECTED::
> >>> >Phishing.Heuristics.Email.SpoofedDomain::" on two of them and many
> >of
> >>> >these look like false positives.
> >>> >>
> >>> >> Cannot see why only two systems doing this as all eight gateways
> >>are
> >>> >equal preference MX hosts for our domains and share the same type
> of
> >>> >mail traffic.
> >>> >>
> >>> >> Any pointers to where else I might look would be appreciated.
> >>> >>
> >>> >> Thanks
> >>> >>
> >>> >> Quentin
> >>> >> ---
> >>> >> PHONE: +44 191 222 8209 Information Systems and Services
> (ISS),
> >>> >> Newcastle University,
> >>> >> Newcastle upon Tyne,
> >>> >> FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
> >>> >>
> >>>
> >----------------------------------------------------------------------
> >>> >--
> >>> >
> >>> >--
> >>> >MailScanner mailing list
> >>> >mailscanner at lists.mailscanner.info
> >>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>> >
> >>> >Before posting, read http://wiki.mailscanner.info/posting
> >>> >
> >>> >Support MailScanner development - buy the book off the website!
> >>
> >>--
> >>MailScanner mailing list
> >>mailscanner at lists.mailscanner.info
> >>http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >>Before posting, read http://wiki.mailscanner.info/posting
> >>
> >>Support MailScanner development - buy the book off the website!
> >--
> >MailScanner mailing list
> >mailscanner at lists.mailscanner.info
> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >Before posting, read http://wiki.mailscanner.info/posting
> >
> >Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list