possible corrupt sanesecurity defs
Julian Field
MailScanner at ecs.soton.ac.uk
Wed Feb 20 19:14:13 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Yuzik wrote:
> Julian Field wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Chris Yuzik wrote:
>>
>>> Chris Yuzik wrote:
>>>
>>>> Our server downloaded what I believe to be either a corrupt
>>>> sanesecurity definition file or a valid file with a false-positive.
>>>> In any case, hundreds of messages were incorrectly tagged as
>>>> infected. Not a good day.
>>>>
>>>> How do I go about releasing these?
>>>>
>>>> And how can we prevent this from happening in the future?
>>>>
>>>> Any help would be much appreciated.
>>>>
>>> I suppose I should point out that it hit on the rule
>>> "Email.Hdr.Sanesecurity.07021900"
>>>
>>>
>>>
>> What MTA are you using? Do you quarantine viruses at all? Do you
>> quarantine them as Raw Queue Files? All of this lot are in your
>> MailScanner.conf file.
>>
>> Jules
>>
>> - -- Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me at Jules at Jules.FM
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> PGP public key: http://www.jules.fm/julesfm.asc
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.8.0 (Build 2158)
>> Comment: Use Thunderbird Enigmail to verify this message
>> Charset: ISO-8859-1
>>
>> wj8DBQFHvHFrEfZZRxQVtlQRArX7AKCgUl3Mr1Udy1226jhGVUkt1IP7QgCfQZqb
>> znH6KxhHWD4e4di5VsCQJGI=
>> =mlGj
>> -----END PGP SIGNATURE-----
>>
>>
> Julian,
>
> Using Sendmail. We DO quarantine viruses. They are NOT quarantined as
> raw queue files. So, for example, we have a file called "message" in a
> dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243.
In which case something like this should do the trick more or less:
bash
cd /var/spool/MailScanner/quarantine/20080220
for F in *
do
/usr/sbin/sendmail -t < $F
echo $F
done
That should deliver the message to where the mail said it was addressed
to in the headers, not the original envelope, but it's probably close
enough.
I have just had a good look at a sample of messages caught by this
signature, and yes there are a lot of them.
However they all appear to be spam.
So I'm just going to let MailScanner deal with them appropriately, no
need for panic actions here.
Jules
- --
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.0 (Build 2158)
Comment: Use Thunderbird Enigmail to verify this message
Charset: ISO-8859-1
wj8DBQFHvHwIEfZZRxQVtlQRAjMEAJ97uTelKrxys03R+7Dk2neaHIrC5wCfXQp0
AWSiTNy/MGSSmeIpsME3sCQ=
=CRV7
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list