Potential Postfix CentOS message unpacking bug

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Mon Sep 22 13:34:56 IST 2008


Mark Sapiro a écrit :
> Mark Sapiro wrote:
>
>   
>> On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote:
>>     
>>> So Postfix users on CentOS, please can you check your logs for any 
>>> 16-17Kb spams which could possibly containing an attachment called 
>>> "start.zip" (grep should find it in raw queue files, if you're wondering 
>>> how to do that for raw queue files), which have not always been detected 
>>> as infected.
>>>       
>> I have seen exactly one of these
>>
>> /var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./4C266690092.86EA5/start.zip
>>
>> in the last 30 days and no spam quarantined with start.zip attachments.
>>
>>
>>     
>>> You might want to use the "Archive Mail" feature of MailScanner.conf for 
>>> a while to see if you're getting anything like that, in case you are 
>>> suffering the problem.
>>>       
>> I have just enabled Archive Mail and will look for start.zip in the archive.
>>     
>
>
> Here's an update. This is very strange. I set
>
> Archive Mail = /var/spool/MailScanner/archive
>
> in MailScanner.conf, and I started looking for archived messages
> containing start.zip. I also noticed that the actual trojan when
> identified was identified as Trojan.Fakealert-532, so I looked for
> that in clamd reports as well and found several detections in messages
> with a "tube.zip" attachment. Two days ago, I found two archived
> messages with tube.zip attachments that had been quarantined as
> high-spam and not detected by clamd as infected with
> Trojan.Fakealert-532.
>
> I wanted to see the spam detections for these messages so I added a
> rule to my high spam rules that would forward the message to me and
> reloaded Mailscanner. I then copied one of the archived queue file to
> /var/spool/postfix/hold/ and was shocked to find that this time it was
> flagged by clamd as infected with Trojan.Fakealert-532. This requeued
> message was archived too and I did a cmp of the two archived queue
> files and they were identical, yet the first message was not flagged
> by clamd and was quarantined as high spam and the second message was
> flagged by clamd.
>
> So the bottom line is I've seen the problem, but it appears to be
> intermittent, even with an identical message.
>   

Mark,

ClamAV gets updated quite often.  Maybe it didn't know about 
Trojan.Fakealert-532 the first time the email got through but it knew 
better some time later.

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045




More information about the MailScanner mailing list