Potential Postfix CentOS message unpacking bug
Paul Bijnens
Paul.Bijnens at xplanation.com
Mon Sep 15 17:18:10 IST 2008
On 2008-09-15 10:48, Paul Bijnens wrote:
> On 2008-09-15 09:48, Julian Field wrote:
>> As some of you may have already realised, a few people are having a
>> problem on particular OS's when using Postfix, where a message
>> generated by a particular Trojan are not being unpacked properly.
>>
>> So Postfix users on CentOS, please can you check your logs for any
>> 16-17Kb spams which could possibly containing an attachment called
>> "start.zip" (grep should find it in raw queue files, if you're
>> wondering how to do that for raw queue files), which have not always
>> been detected as infected.
>>
>> You might want to use the "Archive Mail" feature of MailScanner.conf
>> for a while to see if you're getting anything like that, in case you
>> are suffering the problem.
>>
>> We would very much like to know how widespread this problem is, so
>> please report back with your findings and we'll take a straw poll of
>> the respondents.
>
>
> Running MailScanner on CentOS here, with archiving enabled as well.
>
> I did not find any message containing an attachment "start.zip" in
> my archived mails (between sep 11 and now sep 15 10:41 MET, for a total of
> 10928 mails).
>
> I'll still keep an eye on it for some days.
If the treat is indeed about the Trojan.Fakealert-532, then we had
some in, and succesfully blocked as well.
Just a few minutes ago:
ClamAV: tube.zip contains Trojan.Fakealert-532
and some more last weekend, but all with different attachment names.
But none got through.
--
Paul Bijnens, xplanation Technology Services Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens at xplanation.com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
More information about the MailScanner
mailing list