Warning: MS log record format changes in 4.65.1 BETA
Julian Field
MailScanner at ecs.soton.ac.uk
Wed Oct 31 14:09:29 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gareth wrote:
> That was introduced in 4.63 I believe.
>
> On Wed, 2007-10-31 at 13:45, Quentin Campbell wrote:
>> Julian
>>
>> It appears that 4.65.1-1 changes the format of log records for ClamAV
>> Module. I suspect this will catch out log processing scripts.
>>
>> In 4.62.9-2 and earlier I saw records similar to:
>>
>> Oct 27 16:58:31 cheviot4 MailScanner[12044]: INFECTED::
>> MSRBL-Images/3-0-whep:: ./l9RFw72q032134/pills.gif
>>
>> Oct 27 17:10:20 cheviot4 MailScanner[3195]: INFECTED::
>> Email.Phishing.RB-1802:: ./l9RG9t87003928/
>>
>> Oct 27 17:10:41 cheviot4 MailScanner[3215]: INFECTED::
>> Html.Phishing.Bank.Sanesecurity.06030707:: ./l9RGAQeq004535/
>>
>> or going back a few months
>>
>> Jun 11 12:12:59 cheviot4 MailScanner[28551]: ClamAVModule::INFECTED::
>> Worm.Mydoom.M:: ./l5BBChGt030131/ATTACHMENT.SCR
>>
>> With 4.65.1-1 BETA, I now see the last few fields moved right one place
>> because the phrase "ClamAVModule::INFECTED::" is now split as in
But these following examples look like the ones from 4.62.9-2 that you
posted above.
Surely it's better that it logs which scanner found the infection?
>>
>> Oct 31 11:37:06 cheviot2 MailScanner[9758]: ClamAV Module::INFECTED::
>> Phishing.Heuristics.Email.SpoofedDomain:: ./l9VBaefJ002190/
>>
>> Oct 31 11:07:55 cheviot4 MailScanner[30204]: ClamAV Module::INFECTED::
>> Worm.Bagle.GV:: ./l9VB7b0K018893/latest_price31-Oct-2007.zip
>>
>> Quentin
>>
>>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>> bounces at lists.mailscanner.info] On Behalf Of Quentin Campbell
>>> Sent: 31 October 2007 11:29
>>> To: MailScanner discussion
>>> Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
>>>
>>> Gareth
>>>
>>> I have upgraded to MS BETA 4.65.1-1 one of the 2 hosts that were
>>> generating the "INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
>>> ...." records.
>>>
>>> In place of the
>>>
>>> Oct 31 10:12:37 cheviot2 MailScanner[31346]: INFECTED::
>>> Phishing.Heuristics.Email.SpoofedDomain:: ./l9VACFW4011070/
>>>
>>> records I now get (although fewer of them so far)
>>>
>>> Oct 31 11:01:16 cheviot2 MailScanner[18379]: ClamAV Module::INFECTED::
>>> Phishing.Heuristics.Email.SpoofedDomain:: ./l9VB0vFK005532/
>>>
>>> records. I assume this means that I am getting far fewer false
>> positives
>>> now?
>>>
>>> Quentin
>>>
>>>> -----Original Message-----
>>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>>> bounces at lists.mailscanner.info] On Behalf Of Gareth
>>>> Sent: 31 October 2007 10:27
>>>> To: MailScanner discussion
>>>> Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
>>>>
>>>> The fault is equivilent to scanning mail with the
>>>> --no-phishing-restrictedscan clamscan option. The update to
>> mailscanner
>>>> disabled this option as the author of the clamavmodule made an error
>>> and
>>>> had this option enabled as the default option.
>>>>
>>>> I am not 100% sure whether the mailscanner fix came out in 4.62 or
>> 4.63
>>>> but I believe it was the latter.
>>>>
>>>> On Wed, 2007-10-31 at 10:11, Quentin Campbell wrote:
>>>>> Gareth
>>>>>
>>>>> If that is the problem is does not account for why I only see it on
>> 2
>>>>> out of 8 otherwise identical MX hosts, all running with the same
>>>> version
>>>>> of MS, ClamAV-Module, ndb files in /usr/local/share/clamav, etc.
>>>>>
>>>>> I will install the latest BETA version of MS on one of the 2
>> machines
>>>>> and see what happens.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Quentin
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-
>>>>>> bounces at lists.mailscanner.info] On Behalf Of Gareth
>>>>>> Sent: 31 October 2007 09:23
>>>>>> To: MailScanner discussion
>>>>>> Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
>>>> ....
>>>>>> Its caused by a new feature in clamav with an incorrect default
>>>>> setting.
>>>>>> You need to either update MailScanner to include the new scanning
>>>>> option
>>>>>> or switch to clamd.
>>>>>>
>>>>>> On Wed, 2007-10-31 at 08:22, Quentin Campbell wrote:
>>>>>>> I am running eight mail gateways with MailScanner-4.62.9-2 using
>>>>>> 'clamavmodule' (Mail-ClamAV-0.20 & ClamAV 0.91.2).
>>>>>>> However only seeing "INFECTED::
>>>>>> Phishing.Heuristics.Email.SpoofedDomain::" on two of them and many
>>> of
>>>>>> these look like false positives.
>>>>>>> Cannot see why only two systems doing this as all eight gateways
>>>> are
>>>>>> equal preference MX hosts for our domains and share the same type
>> of
>>>>>> mail traffic.
>>>>>>> Any pointers to where else I might look would be appreciated.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Quentin
>>>>>>> ---
>>>>>>> PHONE: +44 191 222 8209 Information Systems and Services
>> (ISS),
>>>>>>> Newcastle University,
>>>>>>> Newcastle upon Tyne,
>>>>>>> FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
>>>>>>>
>>> ----------------------------------------------------------------------
>>>>>> --
>>>>>>
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>
Jules
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHKIyYEfZZRxQVtlQRAu4EAJ9jKvPyORaiNilNRvc5J0AI6ljx1ACeNo7E
0r02K9LsunyJBr2T2+RxKNA=
=QrT+
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list