Potential Postfix CentOS message unpacking bug

Paul Bijnens Paul.Bijnens at xplanation.com
Mon Sep 15 17:18:10 IST 2008

On 2008-09-15 10:48, Paul Bijnens wrote:
> On 2008-09-15 09:48, Julian Field wrote:
>> As some of you may have already realised, a few people are having a 
>> problem on particular OS's when using Postfix, where a message 
>> generated by a particular Trojan are not being unpacked properly.
>> So Postfix users on CentOS, please can you check your logs for any 
>> 16-17Kb spams which could possibly containing an attachment called 
>> "start.zip" (grep should find it in raw queue files, if you're 
>> wondering how to do that for raw queue files), which have not always 
>> been detected as infected.
>> You might want to use the "Archive Mail" feature of MailScanner.conf 
>> for a while to see if you're getting anything like that, in case you 
>> are suffering the problem.
>> We would very much like to know how widespread this problem is, so 
>> please report back with your findings and we'll take a straw poll of 
>> the respondents.
> Running MailScanner on CentOS here, with archiving enabled as well.
> I did not find any message containing an attachment "start.zip" in
> my archived mails (between sep 11 and now sep 15 10:41 MET, for a total of
> 10928 mails).
> I'll still keep an eye on it for some days.

If the treat is indeed about the Trojan.Fakealert-532, then  we had
some in, and succesfully blocked as well.

Just a few minutes ago:

ClamAV: tube.zip contains Trojan.Fakealert-532

and some more last weekend, but all with different attachment names.

But none got through.

Paul Bijnens, xplanation Technology Services        Tel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM    Fax  +32 16 397.512
http://www.xplanation.com/          email:  Paul.Bijnens at xplanation.com
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out          *

More information about the MailScanner mailing list