Potential Postfix CentOS message unpacking bug

Andreas Kasenides Andreas.Kasenides at cs.ucy.ac.cy
Mon Sep 15 13:26:30 IST 2008


Julian Field wrote:
> As some of you may have already realised, a few people are having a 
> problem on particular OS's when using Postfix, where a message 
> generated by a particular Trojan are not being unpacked properly.
>
> So Postfix users on CentOS, please can you check your logs for any 
> 16-17Kb spams which could possibly containing an attachment called 
> "start.zip" (grep should find it in raw queue files, if you're 
> wondering how to do that for raw queue files), which have not always 
> been detected as infected.
>
> You might want to use the "Archive Mail" feature of MailScanner.conf 
> for a while to see if you're getting anything like that, in case you 
> are suffering the problem.
>
> We would very much like to know how widespread this problem is, so 
> please report back with your findings and we'll take a straw poll of 
> the respondents.
>
> Thanks folks!
>
> Jules
>
Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2.
Many of these, actually 79 in the last 36 hours or so have been caught 
successfully.

Sep 14 07:25:25 iolaos-new MailScanner[16162]: 
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: 
Trojan.Fakealert-532 FOUND
Sep 14 07:25:29 iolaos-new MailScanner[15957]: 
/var/spool/MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip: 
Trojan.Fakealert-532 FOUND
Sep 14 07:26:05 iolaos-new MailScanner[15906]: 
/var/spool/MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip: 
Trojan.Fakealert-532 FOUND
Sep 14 07:30:16 iolaos-new MailScanner[16162]: 
/var/spool/MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip: 
Trojan.Fakealert-532 FOUND
.......
cat maillog|grep DC59F8C275.169EC
Sep 14 07:25:25 iolaos-new MailScanner[16162]: 
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: 
Trojan.Fakealert-532 FOUND
Sep 14 07:25:25 iolaos-new MailScanner[16162]: 
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe: 
Trojan.Fakealert-532 FOUND
Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message 
DC59F8C275.169EC came from 83.206.158.181
Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks:  
(DC59F8C275.169EC Start.exe)


Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1544cb4e/attachment.html


More information about the MailScanner mailing list