Mismatch between report and actions
Glenn Steen
glenn.steen at gmail.com
Sun Jun 28 00:17:15 IST 2009
2009/6/26 Robert Lopez <rlopezcnm at gmail.com>:
> HP Prolient DL360 G5
> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz
> 8 G RAM
> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009
> x86_64 GNU/Linux
> Ubuntu 9.04 (jaunty)
> MailScanner version 4.74.16
> Postfix version 2.5.5
> SpamAssassin version 3.2.5 running on Perl version 5.10.0
> (I know there are newer versions. These are Ubuntu apt-get...)
>
>
> Situation: Testing Eicar, external site to internal via gateway.
> Problem: Mismatch between reported information and actions.
>
> Email content says:
> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s)
> for more information."
>
> Action was:
> Appended the text into the body of email instead of an attachment.
>
>
> Email content says:
> "Note to Help Desk: Look on the CNM () MailScanner in
> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)."
>
> Action was:
> "/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam".
> "/var/spool/MailScanner/quarantine/20090626/spam" has one file which
> is "3A59B34D.274DC" and it contains a discarded gtube test.
> Find says there is no E0CE312F.5E6C5 file on disks.
>
> Maillog shows this redacted information:
> MailScanner[2381]: Message E0CE312F.5E6C5 from 209.85.221.171
> (munged at gmail.com) to munged.cnm.edu is not spam, SpamAssassin (not
> cached, score=-0.001, required 6, autolearn=not spam, SPF_PASS -0.00)
> MailScanner[2381]: Virus and Content Scanning: Starting
> MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: ./E0CE312F.5E6C5/
> MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature ::
> ./E0CE312F.5E6C5/msg-2381-6.txt
> MailScanner[2381]: Virus Scanning: Clamd found 2 infections
> MailScanner[2381]: Infected message E0CE312F.5E6C5 came from 209.85.221.171
> { { [ Aside: One Eicar counts as two virus infections? ] } }
> MailScanner[2381]: Virus Scanning: Found 2 viruses
> MailScanner[2381]: Requeue: E0CE312F.5E6C5 to A7E6051D
> MailScanner[2381]: Cleaned: Delivered 1 cleaned messages
> postfix/qmgr[3109]: A7E6051D: from=<munged at gmail.com>, size=2128,
> nrcpt=1 (queue active)
> postfix/pickup[3108]: B3E9E520: uid=105 from=<postmaster>
> postfix/cleanup[3639]: B3E9E520: hold: header Received: by
> munged.cnm.edu (Postfix, from userid 105)??id B3E9E520; Fri, 26 Jun
> 2009 11:33:08 -0600 (MDT) from local; from=<postmaster at cnm.edu>
> postfix/cleanup[3639]: B3E9E520:
> message-id=<20090626173308.B3E9E520 at munged.cnm.edu>
> MailScanner[2381]: Notices: Warned about 1 messages
> postfix/smtp[3648]: A7E6051D: to=<munged at munged.cnm.edu>,
> orig_to=<munged at munged.cnm.edu>,
> relay=munged.cnm.edu[198.133.181.119]:25, delay=21,
> delays=21/0/0/0.02, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
> postfix/qmgr[3109]: A7E6051D: removed
>
> Questions: How do I remedy these two mismatches?
>
>
Do the upgrades needed ... MailScanner, possibly SA and Clam as well.
If this means leaving the Ubunto/apt thing behind, then so be it.
If you still observe the same behavior... Then we'll look at other things:-).
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list