possible corrupt sanesecurity defs
Ugo Bellavance
ugob at lubik.ca
Wed Feb 20 20:23:24 GMT 2008
Chris Yuzik wrote:
> Julian Field wrote:
>>> Julian,
>>>
>>> Using Sendmail. We DO quarantine viruses. They are NOT quarantined as
>>> raw queue files. So, for example, we have a file called "message" in
>>> a dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243.
>>>
>> In which case something like this should do the trick more or less:
>>
>> bash
>> cd /var/spool/MailScanner/quarantine/20080220
>> for F in *
>> do
>> /usr/sbin/sendmail -t < $F
>> echo $F
>> done
>>
>> That should deliver the message to where the mail said it was
>> addressed to in the headers, not the original envelope, but it's
>> probably close enough.
>>
>> I have just had a good look at a sample of messages caught by this
>> signature, and yes there are a lot of them.
>> However they all appear to be spam.
>> So I'm just going to let MailScanner deal with them appropriately, no
>> need for panic actions here.
>>
>> Jules
>>
>
> Jules,
>
> I had to modify this a bit because there were approximately 3.2
> bazillion files from postmaster to postmaster that were also tagged.
> Needless to say, I didn't want to re-inject those into the queue.
>
> Most of the emails nailed by this false positive were not spam in our case.
>
> So what I did was:
> 1) created MySQL query to give me a list of the message IDs that were
> incorrectly tagged as being virus infected, and saved that as a text file.
> 2) created a small perl script ( I suck at bash scripting ) to loop over
> the text file and do a system command that looks like
> '/usr/sbin/sendmail -t < m1KEoKOn020766/message'
>
> If anyone wants a copy of my script, please let me know.
For those who are using MailWatch, I think that there is a way to
acheive this... maybe a script is already on the MW list...
Ugo
More information about the MailScanner
mailing list