Problem Messages

Glenn Steen glenn.steen at
Thu Nov 12 13:39:26 GMT 2009

2009/11/12 Hugo van der Kooij <hvdkooij at>:
> On 11/11/09 18:28, Brett Moss wrote:
>> [root at mailgw ~]# cat /var/log/maillog|grep nABBuKZR024867
>> Nov 11 03:56:33 mailgw sendmail[24867]: nABBuKZR024867:
>> from=<kristieamn4 at>, size=2158, class=0, nrcpts=1,
>> msgid=<000d01ca62c5$f6f7e140$6400a8c0 at kristieamn4>, proto=ESMTP, daemon=MTA,
>> []
>> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password
>> stealer]<HTML/Irsphish (exact)>  ./nABBuKZR024867/msg-20311-2.html
>> Nov 11 04:01:16 mailgw MailScanner[21397]: Making attempt 2 at processing
>> message nABBuKZR024867
>> Nov 11 04:01:29 mailgw MailScanner[21397]: [Found password
>> stealer]<HTML/Irsphish (exact)>  ./nABBuKZR024867/msg-21397-3.html
>> Nov 11 04:03:54 mailgw MailScanner[23223]: Making attempt 3 at processing
>> message nABBuKZR024867
> There may be some relevant log lines in between currently missing. At least
> an indication which scanner is detecting this. Which scanner is that BTW? Is
> it the only scanner? What are the other log lines?
> And given the nature of the message I think you would not mind sharing the
> content of that message somewhere so others can have a look at it also.
> I would propably never see these as the sender is using dialup networks and
> they would most likely be killed before the DATA line.
> Hugo.
Apart from Hugos' excellent notes, one can see that the processing db
thing does exactly what it is supposed to. It is handling a situation
where a message is responsible for killing MailScanner. You have the
message in your quarantine, for further scrutiny (perhaps upload it to
Virus Total (or similar site) to see what AV scanners think of it
etc). Since it very likely is a baddie, you could lielky pastebin it,
so that we can have a look at it/try it on our systems (see if the
killing thing is a) something local to your machine, and b) something
(bug or not) we (or rather... Jules:-) can handle in the code).

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list