possible corrupt sanesecurity defs

Chris Yuzik itdept at fractalweb.com
Wed Feb 20 20:00:49 GMT 2008

Julian Field wrote:
>> Julian,
>> Using Sendmail. We DO quarantine viruses. They are NOT quarantined as 
>> raw queue files. So, for example, we have a file called "message" in a 
>> dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243.
> In which case something like this should do the trick more or less:
> bash
> cd /var/spool/MailScanner/quarantine/20080220
> for F in *
> do
>   /usr/sbin/sendmail -t < $F
>   echo $F
> done
> That should deliver the message to where the mail said it was addressed 
> to in the headers, not the original envelope, but it's probably close 
> enough.
> I have just had a good look at a sample of messages caught by this 
> signature, and yes there are a lot of them.
> However they all appear to be spam.
> So I'm just going to let MailScanner deal with them appropriately, no 
> need for panic actions here.
> Jules


I had to modify this a bit because there were approximately 3.2 
bazillion files from postmaster to postmaster that were also tagged. 
Needless to say, I didn't want to re-inject those into the queue.

Most of the emails nailed by this false positive were not spam in our case.

So what I did was:
1) created MySQL query to give me a list of the message IDs that were 
incorrectly tagged as being virus infected, and saved that as a text file.
2) created a small perl script ( I suck at bash scripting ) to loop over 
the text file and do a system command that looks like 
'/usr/sbin/sendmail -t < m1KEoKOn020766/message'

If anyone wants a copy of my script, please let me know.

Thank you again for your help.


More information about the MailScanner mailing list