Problem Messages

Brett Moss bamcomp at yahoo.com
Thu Nov 12 15:55:12 GMT 2009 

--- On Thu, 11/12/09, Glenn Steen <glenn.steen at gmail.com> wrote:

> From: Glenn Steen <glenn.steen at gmail.com>
> Subject: Re: Problem Messages
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Date: Thursday, November 12, 2009, 5:39 AM
> 2009/11/12 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
> > On 11/11/09 18:28, Brett Moss wrote:
> >>
> >> [root at mailgw ~]# cat /var/log/maillog|grep
> nABBuKZR024867
> >> Nov 11 03:56:33 mailgw sendmail[24867]:
> nABBuKZR024867:
> >> from=<kristieamn4 at sonictimeworks.com>,
> size=2158, class=0, nrcpts=1,
> >>
> msgid=<000d01ca62c5$f6f7e140$6400a8c0 at kristieamn4>,
> proto=ESMTP, daemon=MTA,
> >> relay=cable-94-189-200-50.dynamic.sbb.rs
> [94.189.200.50]
> >> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found
> password
> >> stealer]<HTML/Irsphish (exact)>
>  ./nABBuKZR024867/msg-20311-2.html
> >> Nov 11 04:01:16 mailgw MailScanner[21397]: Making
> attempt 2 at processing
> >> message nABBuKZR024867
> >> Nov 11 04:01:29 mailgw MailScanner[21397]: [Found
> password
> >> stealer]<HTML/Irsphish (exact)>
>  ./nABBuKZR024867/msg-21397-3.html
> >> Nov 11 04:03:54 mailgw MailScanner[23223]: Making
> attempt 3 at processing
> >> message nABBuKZR024867
> >
> > There may be some relevant log lines in between
> currently missing. At least
> > an indication which scanner is detecting this. Which
> scanner is that BTW? Is
> > it the only scanner? What are the other log lines?
> >
> > And given the nature of the message I think you would
> not mind sharing the
> > content of that message somewhere so others can have a
> look at it also.
> >
> > I would propably never see these as the sender is
> using dialup networks and
> > they would most likely be killed before the DATA
> line.
> >
> > Hugo.
> >
> Apart from Hugos' excellent notes, one can see that the
> processing db
> thing does exactly what it is supposed to. It is handling a
> situation
> where a message is responsible for killing MailScanner. You
> have the
> message in your quarantine, for further scrutiny (perhaps
> upload it to
> Virus Total (or similar site) to see what AV scanners think
> of it
> etc). Since it very likely is a baddie, you could lielky
> pastebin it,
> so that we can have a look at it/try it on our systems (see
> if the
> killing thing is a) something local to your machine, and b)
> something
> (bug or not) we (or rather... Jules:-) can handle in the
> code).
> 
> Cheers
> -- 
> -- Glenn


Hello Hugo, Glenn, all

I looked into the logs again and did find the following line.  It is the second line that I think I failed to post.

Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] <HTML/Irsphish (exact)> ./nABBuKZR024867/msg-20311-2.html
Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus  in

This line is repeated each time MailScanner tries to process the message.
I am unsure which scanner is catching it, the logs show nothing.  I am running clam, mcafee, and f-prot-6

I have loaded to pastebin  http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing.

Thank you,
Brett

More information about the MailScanner mailing list