Mismatch between report and actions

Fri Jun 26 19:46:08 IST 2009

HP Prolient DL360 G5
Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz
8 G RAM
Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009
x86_64 GNU/Linux
Ubuntu 9.04 (jaunty)
MailScanner version 4.74.16
Postfix version 2.5.5
SpamAssassin version 3.2.5 running on Perl version 5.10.0
(I know there are newer versions. These are Ubuntu apt-get...)

Situation: Testing Eicar, external site to internal via gateway.
Problem:   Mismatch between reported information and actions.

Email content says:
"Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s)
for more information."

Action was:
Appended the text into the body of email instead of an attachment.

Email content says:
"Note to Help Desk: Look on the CNM () MailScanner in
/var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)."

Action was:
"/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam".
"/var/spool/MailScanner/quarantine/20090626/spam" has one file which
is "3A59B34D.274DC" and it contains a discarded gtube test.
Find says there is no E0CE312F.5E6C5 file on disks.

Maillog shows this redacted information:
MailScanner[2381]: Message E0CE312F.5E6C5 from 209.85.221.171
(munged at gmail.com) to munged.cnm.edu is not spam, SpamAssassin (not
cached, score=-0.001, required 6, autolearn=not spam, SPF_PASS -0.00)
MailScanner[2381]: Virus and Content Scanning: Starting
MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: ./E0CE312F.5E6C5/
MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature ::
./E0CE312F.5E6C5/msg-2381-6.txt
MailScanner[2381]: Virus Scanning: Clamd found 2 infections
MailScanner[2381]: Infected message E0CE312F.5E6C5 came from 209.85.221.171
{ { [ Aside: One Eicar counts as two virus infections? ] } }
MailScanner[2381]: Virus Scanning: Found 2 viruses
MailScanner[2381]: Requeue: E0CE312F.5E6C5 to A7E6051D
MailScanner[2381]: Cleaned: Delivered 1 cleaned messages
postfix/qmgr[3109]: A7E6051D: from=<munged at gmail.com>, size=2128,
nrcpt=1 (queue active)
postfix/pickup[3108]: B3E9E520: uid=105 from=<postmaster>
postfix/cleanup[3639]: B3E9E520: hold: header Received: by
munged.cnm.edu (Postfix, from userid 105)??id B3E9E520; Fri, 26 Jun
2009 11:33:08 -0600 (MDT) from local; from=<postmaster at cnm.edu>
postfix/cleanup[3639]: B3E9E520:
message-id=<20090626173308.B3E9E520 at munged.cnm.edu>
MailScanner[2381]: Notices: Warned about 1 messages
postfix/smtp[3648]: A7E6051D: to=<munged at munged.cnm.edu>,
orig_to=<munged at munged.cnm.edu>,
relay=munged.cnm.edu[198.133.181.119]:25, delay=21,
delays=21/0/0/0.02, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
postfix/qmgr[3109]: A7E6051D: removed

Questions: How do I remedy these two mismatches?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106