Potential Postfix CentOS message unpacking bug
mark at msapiro.net
Sat Sep 20 02:28:23 IST 2008
Mark Sapiro wrote:
>On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote:
>> So Postfix users on CentOS, please can you check your logs for any
>> 16-17Kb spams which could possibly containing an attachment called
>> "start.zip" (grep should find it in raw queue files, if you're wondering
>> how to do that for raw queue files), which have not always been detected
>> as infected.
>I have seen exactly one of these
>/var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./4C266690092.86EA5/start.zip
>in the last 30 days and no spam quarantined with start.zip attachments.
>> You might want to use the "Archive Mail" feature of MailScanner.conf for
>> a while to see if you're getting anything like that, in case you are
>> suffering the problem.
>I have just enabled Archive Mail and will look for start.zip in the archive.
Here's an update. This is very strange. I set
Archive Mail = /var/spool/MailScanner/archive
in MailScanner.conf, and I started looking for archived messages
containing start.zip. I also noticed that the actual trojan when
identified was identified as Trojan.Fakealert-532, so I looked for
that in clamd reports as well and found several detections in messages
with a "tube.zip" attachment. Two days ago, I found two archived
messages with tube.zip attachments that had been quarantined as
high-spam and not detected by clamd as infected with
I wanted to see the spam detections for these messages so I added a
rule to my high spam rules that would forward the message to me and
reloaded Mailscanner. I then copied one of the archived queue file to
/var/spool/postfix/hold/ and was shocked to find that this time it was
flagged by clamd as infected with Trojan.Fakealert-532. This requeued
message was archived too and I did a cmp of the two archived queue
files and they were identical, yet the first message was not flagged
by clamd and was quarantined as high spam and the second message was
flagged by clamd.
So the bottom line is I've seen the problem, but it appears to be
intermittent, even with an identical message.
# MailScanner -v
Linux sbh16.songbird.com 2.6.18-8.1.14.el5 #1 SMP Thu Sep 27 18:58:54
EDT 2007 i
686 i686 i386 GNU/Linux
This is CentOS release 5 (Final)
This is Perl version 5.008008 (5.8.8)
This is MailScanner version 4.71.10
Module versions are:
Optional module versions are:
# MailScanner --lint
Trying to setlogsock(unix)
Read 851 hostnames from the phishing whitelist
Read 4648 hostnames from the phishing blacklist
Checking version numbers...
Version number in MailScanner.conf (4.71.10) is correct.
Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to (89)
MailScanner setting UID to (89)
Checking for SpamAssassin errors (if you use it)...
SpamAssassin temporary working directory is
SpamAssassin temp dir =
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
Filename Checks: (1 eicar.com)
Other Checks: Found 1 problems
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner