Mismatch between report and actions
Robert Lopez
rlopezcnm at gmail.com
Mon Jun 29 14:36:02 IST 2009
On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen<glenn.steen at gmail.com> wrote:
> 2009/6/26 Robert Lopez <rlopezcnm at gmail.com>:
>> HP Prolient DL360 G5
>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz
>> 8 G RAM
>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009
>> x86_64 GNU/Linux
>> Ubuntu 9.04 (jaunty)
>> MailScanner version 4.74.16
>> Postfix version 2.5.5
>> SpamAssassin version 3.2.5 running on Perl version 5.10.0
>> (I know there are newer versions. These are Ubuntu apt-get...)
>>
>>
>> Situation: Testing Eicar, external site to internal via gateway.
>> Problem: Mismatch between reported information and actions.
>>
>> Email content says:
>> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s)
>> for more information."
>>
>> Action was:
>> Appended the text into the body of email instead of an attachment.
>>
>>
>> Email content says:
>> "Note to Help Desk: Look on the CNM () MailScanner in
>> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)."
>>
>> Action was:
>> "/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam".
>> "/var/spool/MailScanner/quarantine/20090626/spam" has one file which
>> is "3A59B34D.274DC" and it contains a discarded gtube test.
>> Find says there is no E0CE312F.5E6C5 file on disks.
>>
>> Maillog shows this redacted information:
>> MailScanner[2381]: Message E0CE312F.5E6C5 from 209.85.221.171
>> (munged at gmail.com) to munged.cnm.edu is not spam, SpamAssassin (not
>> cached, score=-0.001, required 6, autolearn=not spam, SPF_PASS -0.00)
>> MailScanner[2381]: Virus and Content Scanning: Starting
>> MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: ./E0CE312F.5E6C5/
>> MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature ::
>> ./E0CE312F.5E6C5/msg-2381-6.txt
>> MailScanner[2381]: Virus Scanning: Clamd found 2 infections
>> MailScanner[2381]: Infected message E0CE312F.5E6C5 came from 209.85.221.171
>> { { [ Aside: One Eicar counts as two virus infections? ] } }
>> MailScanner[2381]: Virus Scanning: Found 2 viruses
>> MailScanner[2381]: Requeue: E0CE312F.5E6C5 to A7E6051D
>> MailScanner[2381]: Cleaned: Delivered 1 cleaned messages
>> postfix/qmgr[3109]: A7E6051D: from=<munged at gmail.com>, size=2128,
>> nrcpt=1 (queue active)
>> postfix/pickup[3108]: B3E9E520: uid=105 from=<postmaster>
>> postfix/cleanup[3639]: B3E9E520: hold: header Received: by
>> munged.cnm.edu (Postfix, from userid 105)??id B3E9E520; Fri, 26 Jun
>> 2009 11:33:08 -0600 (MDT) from local; from=<postmaster at cnm.edu>
>> postfix/cleanup[3639]: B3E9E520:
>> message-id=<20090626173308.B3E9E520 at munged.cnm.edu>
>> MailScanner[2381]: Notices: Warned about 1 messages
>> postfix/smtp[3648]: A7E6051D: to=<munged at munged.cnm.edu>,
>> orig_to=<munged at munged.cnm.edu>,
>> relay=munged.cnm.edu[198.133.181.119]:25, delay=21,
>> delays=21/0/0/0.02, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
>> postfix/qmgr[3109]: A7E6051D: removed
>>
>> Questions: How do I remedy these two mismatches?
>>
>>
> Do the upgrades needed ... MailScanner, possibly SA and Clam as well.
> If this means leaving the Ubunto/apt thing behind, then so be it.
> If you still observe the same behavior... Then we'll look at other things:-).
>
> Cheers
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
Thank you Glenn,
Changing from Ubuntu is not my decision to make. My current project is
comparing a system built with RHEL and files from Julians site to this
one.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
More information about the MailScanner
mailing list