Potential Postfix CentOS message unpacking bug
Andreas Kasenides
Andreas.Kasenides at cs.ucy.ac.cy
Mon Sep 15 13:26:30 IST 2008
Julian Field wrote:
> As some of you may have already realised, a few people are having a
> problem on particular OS's when using Postfix, where a message
> generated by a particular Trojan are not being unpacked properly.
>
> So Postfix users on CentOS, please can you check your logs for any
> 16-17Kb spams which could possibly containing an attachment called
> "start.zip" (grep should find it in raw queue files, if you're
> wondering how to do that for raw queue files), which have not always
> been detected as infected.
>
> You might want to use the "Archive Mail" feature of MailScanner.conf
> for a while to see if you're getting anything like that, in case you
> are suffering the problem.
>
> We would very much like to know how widespread this problem is, so
> please report back with your findings and we'll take a straw poll of
> the respondents.
>
> Thanks folks!
>
> Jules
>
Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2.
Many of these, actually 79 in the last 36 hours or so have been caught
successfully.
Sep 14 07:25:25 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:
Trojan.Fakealert-532 FOUND
Sep 14 07:25:29 iolaos-new MailScanner[15957]:
/var/spool/MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip:
Trojan.Fakealert-532 FOUND
Sep 14 07:26:05 iolaos-new MailScanner[15906]:
/var/spool/MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip:
Trojan.Fakealert-532 FOUND
Sep 14 07:30:16 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip:
Trojan.Fakealert-532 FOUND
.......
cat maillog|grep DC59F8C275.169EC
Sep 14 07:25:25 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:
Trojan.Fakealert-532 FOUND
Sep 14 07:25:25 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe:
Trojan.Fakealert-532 FOUND
Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message
DC59F8C275.169EC came from 83.206.158.181
Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks:
(DC59F8C275.169EC Start.exe)
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1544cb4e/attachment.html
More information about the MailScanner
mailing list