Kevin_Miller at ci.juneau.ak.us
Mon Sep 15 21:22:17 IST 2008
Julian Field wrote:
> In /usr/sbin/MailScanner there are a couple of calls to "Explode".
> Immediately after them, add a line saying
> and it will stop straight after the attachment unpacking.
> Then you can go into /var/spool/MailScanner/incoming, find the
> relevant directory and see what attachments it pulled out.
> Then try clamscan-ing them by hand. If the attachments look okay in
> that directory, then it's a clamd issue I think. I would be
> interested to see what clamscan makes of them when run by hand.
I was seeing a number of spam messages coming in w/the subject "Credit
card transaction report". Every now and then one would get tagged as a
virus, but most weren't. However, I went into MailWatch, selected one
that wasn't marked as viral and saved the attached Report.zip to my
linux workstation. Ark extracted the file report.doc.exe. I kicked off
top in a term window, opened another terminal and ran 'clamscan
report.doc.exe'. W/in a couple seconds CPU utilization was pegged.
I'm running plain old clamav, not clamscan or clamd.
Not much to go on, but maybe this will help a bit...
Kevin Miller Registered Linux User No: 307357
CBJ MIS Dept. Network Systems Admin., Mail Admin.
155 South Seward Street ph: (907) 586-0242
Juneau, Alaska 99801 fax: (907 586-4500
More information about the MailScanner