Potential Postfix CentOS message unpacking bug

Mark Sapiro mark at msapiro.net
Tue Sep 23 17:33:59 IST 2008 

On Mon, Sep 22, 2008 at 08:34:56AM -0400, Denis Beauchemin wrote:
> Mark Sapiro a ?crit :
> >Mark Sapiro wrote:
> >
> >  
> >>On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote:
> >>    
> >>>So Postfix users on CentOS, please can you check your logs for any 
> >>>16-17Kb spams which could possibly containing an attachment called 
> >>>"start.zip" (grep should find it in raw queue files, if you're wondering 
> >>>how to do that for raw queue files), which have not always been detected 
> >>>as infected.
> >>>      
> >>I have seen exactly one of these
> >>
> >>/var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: 
> >>ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: 
> >>./4C266690092.86EA5/start.zip
> >>
> >>in the last 30 days and no spam quarantined with start.zip attachments.
> >>
> >>
> >>    
> >>>You might want to use the "Archive Mail" feature of MailScanner.conf for 
> >>>a while to see if you're getting anything like that, in case you are 
> >>>suffering the problem.
> >>>      
> >>I have just enabled Archive Mail and will look for start.zip in the 
> >>archive.
> >>    
> >
> >
> >Here's an update. This is very strange. I set
> >
> >Archive Mail = /var/spool/MailScanner/archive
> >
> >in MailScanner.conf, and I started looking for archived messages
> >containing start.zip. I also noticed that the actual trojan when
> >identified was identified as Trojan.Fakealert-532, so I looked for
> >that in clamd reports as well and found several detections in messages
> >with a "tube.zip" attachment. Two days ago, I found two archived
> >messages with tube.zip attachments that had been quarantined as
> >high-spam and not detected by clamd as infected with
> >Trojan.Fakealert-532.
> >
> >I wanted to see the spam detections for these messages so I added a
> >rule to my high spam rules that would forward the message to me and
> >reloaded Mailscanner. I then copied one of the archived queue file to
> >/var/spool/postfix/hold/ and was shocked to find that this time it was
> >flagged by clamd as infected with Trojan.Fakealert-532. This requeued
> >message was archived too and I did a cmp of the two archived queue
> >files and they were identical, yet the first message was not flagged
> >by clamd and was quarantined as high spam and the second message was
> >flagged by clamd.
> >
> >So the bottom line is I've seen the problem, but it appears to be
> >intermittent, even with an identical message.
> >  
> 
> Mark,
> 
> ClamAV gets updated quite often.  Maybe it didn't know about 
> Trojan.Fakealert-532 the first time the email got through but it knew 
> better some time later.
> 


Denis,

While that is possible in general it is not the case here for two reasons.
1. ClamAV had been detecting Trojan.Fakealert-532 on my system for at least
   two days prior to the two missed detections.
2. Even if ClamAV didn't have a signature, the tube.zip file contains a
   file named VideoTube.com.avi.exe which should have been flagged for
   bad filename even if the trojan wasn't detected by ClamAV.

-- 
Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list