MailScanner delivering mail with virus?

Julian Field MailScanner at ecs.soton.ac.uk
Thu Sep 4 16:55:12 IST 2008 

Can you try setting
ClamAV Full Message Scan = no
and giving it another go?
I don't like the look of
43E59D98828.C43D0.message
as a filename, that looks definitely wrong to me. It is not managing to 
extract the attachment filename from the virus scanner report.

Can you send me a copy of the mail queue file please? (off-list, to 
mailscanner at ecs.soton.ac.uk).

Thanks,
Jules.

Vincent Verhagen wrote:
> Using:
> MailScanner 4.71.10
> F-Prot-6 (not the daemon)
>
> For some reason, MailScanner has passed some emails that were 
> virusinfected according to F-Prot.
> See this excerpt from the log:
>
> Sep  4 14:51:29 mail2 MailScanner[21344]: New Batch: Scanning 1 
> messages, 31790 bytes
> Sep  4 14:51:29 mail2 MailScanner[21344]: Spam Checks completed at 
> 90432 bytes per second
> Sep  4 14:51:29 mail2 MailScanner[21344]: Virus and Content Scanning: 
> Starting
> Sep  4 14:51:33 mail2 MailScanner[21344]: [Found possible security 
> risk] <W32/Heuristic-200!Eldorado (not disinfectable)> 
> ./43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe
> Sep  4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 
> found 1 infections
> Sep  4 14:51:33 mail2 MailScanner[21344]: Infected message 
> 43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe 
> came from
> Sep  4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses
> Sep  4 14:51:33 mail2 MailScanner[21344]: Virus Scanning completed at 
> 9003 bytes per second
> Sep  4 14:51:33 mail2 MailScanner[21344]: Requeue: 43E59D98828.C43D0 
> to 5ADD8D98829
> Sep  4 14:51:33 mail2 MailScanner[21344]: Uninfected: Delivered 1 
> messages
> Sep  4 14:51:33 mail2 MailScanner[21344]: Batch completed at 8160 
> bytes per second (31790 / 3)
> Sep  4 14:51:33 mail2 MailScanner[21344]: Batch (1 message) processed 
> in 3.90 seconds
> Sep  4 14:51:33 mail2 MailScanner[21344]: Logging message 
> 43E59D98828.C43D0 to SQL
> Sep  4 14:51:33 mail2 MailScanner[21344]: "Always Looked Up Last" took 
> 0.00 seconds
>
> A few minutes later, it does so again:
>
> Sep  4 14:53:31 mail2 MailScanner[21344]: New Batch: Scanning 1 
> messages, 32024 bytes
> Sep  4 14:53:31 mail2 MailScanner[21344]: Spam Checks: Found 1 spam 
> messages
> Sep  4 14:53:31 mail2 MailScanner[21344]: Spam Checks completed at 
> 87136 bytes per second
> Sep  4 14:53:31 mail2 MailScanner[21344]: Virus and Content Scanning: 
> Starting
> Sep  4 14:53:35 mail2 MailScanner[21344]: [Found possible security 
> risk] <W32/Heuristic-200!Eldorado (not disinfectable)> 
> ./9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe
> Sep  4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 
> found 1 infections
> Sep  4 14:53:35 mail2 MailScanner[21344]: Infected message 
> 9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe 
> came from
> Sep  4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses
> Sep  4 14:53:35 mail2 MailScanner[21344]: Virus Scanning completed at 
> 8846 bytes per second
> Sep  4 14:53:35 mail2 MailScanner[21344]: Requeue: 9D0DFD98829.A3D54 
> to DE875D98828
> Sep  4 14:53:35 mail2 MailScanner[21344]: Uninfected: Delivered 1 
> messages
> Sep  4 14:53:35 mail2 MailScanner[21344]: Batch completed at 8002 
> bytes per second (32024 / 4)
> Sep  4 14:53:35 mail2 MailScanner[21344]: Batch (1 message) processed 
> in 4.00 seconds
> Sep  4 14:53:35 mail2 MailScanner[21344]: Logging message 
> 9D0DFD98829.A3D54 to SQL
> Sep  4 14:53:35 mail2 MailScanner[21344]: "Always Looked Up Last" took 
> 0.00 seconds
>
> MailScanner is not configured to deliver viruses in any way and has 
> never done so before.
> Anyone have an idea what causes this?
>
> Regards,
> Vincent
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list