Potential Postfix CentOS message unpacking bug

Mark Sapiro mark at msapiro.net
Sat Sep 20 02:28:23 IST 2008 

Mark Sapiro wrote:

>On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote:
>> 
>> So Postfix users on CentOS, please can you check your logs for any 
>> 16-17Kb spams which could possibly containing an attachment called 
>> "start.zip" (grep should find it in raw queue files, if you're wondering 
>> how to do that for raw queue files), which have not always been detected 
>> as infected.
>
>
>I have seen exactly one of these
>
>/var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./4C266690092.86EA5/start.zip
>
>in the last 30 days and no spam quarantined with start.zip attachments.
>
> 
>> You might want to use the "Archive Mail" feature of MailScanner.conf for 
>> a while to see if you're getting anything like that, in case you are 
>> suffering the problem.
>
>
>I have just enabled Archive Mail and will look for start.zip in the archive.


Here's an update. This is very strange. I set

Archive Mail = /var/spool/MailScanner/archive

in MailScanner.conf, and I started looking for archived messages
containing start.zip. I also noticed that the actual trojan when
identified was identified as Trojan.Fakealert-532, so I looked for
that in clamd reports as well and found several detections in messages
with a "tube.zip" attachment. Two days ago, I found two archived
messages with tube.zip attachments that had been quarantined as
high-spam and not detected by clamd as infected with
Trojan.Fakealert-532.

I wanted to see the spam detections for these messages so I added a
rule to my high spam rules that would forward the message to me and
reloaded Mailscanner. I then copied one of the archived queue file to
/var/spool/postfix/hold/ and was shocked to find that this time it was
flagged by clamd as infected with Trojan.Fakealert-532. This requeued
message was archived too and I did a cmp of the two archived queue
files and they were identical, yet the first message was not flagged
by clamd and was quarantined as high spam and the second message was
flagged by clamd.

So the bottom line is I've seen the problem, but it appears to be
intermittent, even with an identical message.

# MailScanner -v
Running on
Linux sbh16.songbird.com 2.6.18-8.1.14.el5 #1 SMP Thu Sep 27 18:58:54
EDT 2007 i
686 i686 i386 GNU/Linux
This is CentOS release 5 (Final)
This is Perl version 5.008008 (5.8.8)

This is MailScanner version 4.71.10
Module versions are:
1.00    AnyDBM_File
1.16    Archive::Zip
0.21    bignum
1.04    Carp
1.42    Compress::Zlib
1.119   Convert::BinHex
0.17    Convert::TNEF
2.121_08        Data::Dumper
2.27    Date::Parse
1.00    DirHandle
1.05    Fcntl
2.74    File::Basename
2.09    File::Copy
2.01    FileHandle
1.08    File::Path
0.20    File::Temp
0.90    Filesys::Df
1.35    HTML::Entities
3.56    HTML::Parser
2.37    HTML::TokeParser
1.23    IO
1.14    IO::File
1.13    IO::Pipe
2.02    Mail::Header
1.86    Math::BigInt
0.19    Math::BigRat
3.05    MIME::Base64
5.425   MIME::Decoder
5.425   MIME::Decoder::UU
5.425   MIME::Head
5.425   MIME::Parser
3.03    MIME::QuotedPrint
5.425   MIME::Tools
0.11    Net::CIDR
1.25    Net::IP
0.16    OLE::Storage_Lite
1.04    Pod::Escapes
3.05    Pod::Simple
1.09    POSIX
1.18    Scalar::Util
1.78    Socket
2.15    Storable
1.4     Sys::Hostname::Long
0.13    Sys::Syslog
1.26    Test::Pod
0.6     Test::Simple
1.68    Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.30    Archive::Tar
0.21    bignum
1.82    Business::ISBN
1.10    Business::ISBN::Data
1.08    Data::Dump
1.814   DB_File
1.13    DBD::SQLite
1.56    DBI
1.10    Digest
1.01    Digest::HMAC
2.36    Digest::MD5
2.10    Digest::SHA1
1.00    Encode::Detect
0.17008 Error
0.18    ExtUtils::CBuilder
2.18    ExtUtils::ParseXS
2.35    Getopt::Long
0.44    Inline
1.08    IO::String
1.04    IO::Zlib
2.21    IP::Country
missing Mail::ClamAV
3.002005        Mail::SpamAssassin
v2.004  Mail::SPF
1.999001        Mail::SPF::Query
0.2808  Module::Build
0.20    Net::CIDR::Lite
0.63    Net::DNS
0.002.2 Net::DNS::Resolver::Programmable
missing Net::LDAP
 4.004  NetAddr::IP
1.94    Parse::RecDescent
missing SAVI
2.52    Test::Harness
0.95    Test::Manifest
1.98    Text::Balanced
1.35    URI
0.7203  version
0.62    YAML
# MailScanner --lint
Trying to setlogsock(unix)
Read 851 hostnames from the phishing whitelist
Read 4648 hostnames from the phishing blacklist
Checking version numbers...
Version number in MailScanner.conf (4.71.10) is correct.

Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
SpamAssassin temporary working directory is
/var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-Temp
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
Filename Checks:  (1 eicar.com)
Other Checks: Found 1 problems
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its
virus.scanners.conf.
#

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list