Hugo van der Kooij
hvdkooij at vanderkooij.org
Thu Nov 12 07:04:09 GMT 2009
On 11/11/09 18:28, Brett Moss wrote:
> [root at mailgw ~]# cat /var/log/maillog|grep nABBuKZR024867
> Nov 11 03:56:33 mailgw sendmail: nABBuKZR024867: from=<kristieamn4 at sonictimeworks.com>, size=2158, class=0, nrcpts=1, msgid=<000d01ca62c5$f6f7e140$6400a8c0 at kristieamn4>, proto=ESMTP, daemon=MTA, relay=cable-94-189-200-50.dynamic.sbb.rs [18.104.22.168]
> Nov 11 03:56:46 mailgw MailScanner: [Found password stealer]<HTML/Irsphish (exact)> ./nABBuKZR024867/msg-20311-2.html
> Nov 11 04:01:16 mailgw MailScanner: Making attempt 2 at processing message nABBuKZR024867
> Nov 11 04:01:29 mailgw MailScanner: [Found password stealer]<HTML/Irsphish (exact)> ./nABBuKZR024867/msg-21397-3.html
> Nov 11 04:03:54 mailgw MailScanner: Making attempt 3 at processing message nABBuKZR024867
There may be some relevant log lines in between currently missing. At
least an indication which scanner is detecting this. Which scanner is
that BTW? Is it the only scanner? What are the other log lines?
And given the nature of the message I think you would not mind sharing
the content of that message somewhere so others can have a look at it also.
I would propably never see these as the sender is using dialup networks
and they would most likely be killed before the DATA line.
More information about the MailScanner