Problem Messages

Glenn Steen glenn.steen at gmail.com
Fri Nov 13 08:55:16 GMT 2009


2009/11/12 Brett Moss <bamcomp at yahoo.com>:
> --- On Thu, 11/12/09, Glenn Steen <glenn.steen at gmail.com> wrote:
>
>> From: Glenn Steen <glenn.steen at gmail.com>
>> Subject: Re: Problem Messages
>> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
>> Date: Thursday, November 12, 2009, 5:39 AM
>> 2009/11/12 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>> > On 11/11/09 18:28, Brett Moss wrote:
>> >>
>> >> [root at mailgw ~]# cat /var/log/maillog|grep
>> nABBuKZR024867
>> >> Nov 11 03:56:33 mailgw sendmail[24867]:
>> nABBuKZR024867:
>> >> from=<kristieamn4 at sonictimeworks.com>,
>> size=2158, class=0, nrcpts=1,
>> >>
>> msgid=<000d01ca62c5$f6f7e140$6400a8c0 at kristieamn4>,
>> proto=ESMTP, daemon=MTA,
>> >> relay=cable-94-189-200-50.dynamic.sbb.rs
>> [94.189.200.50]
>> >> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found
>> password
>> >> stealer]<HTML/Irsphish (exact)>
>>  ./nABBuKZR024867/msg-20311-2.html
>> >> Nov 11 04:01:16 mailgw MailScanner[21397]: Making
>> attempt 2 at processing
>> >> message nABBuKZR024867
>> >> Nov 11 04:01:29 mailgw MailScanner[21397]: [Found
>> password
>> >> stealer]<HTML/Irsphish (exact)>
>>  ./nABBuKZR024867/msg-21397-3.html
>> >> Nov 11 04:03:54 mailgw MailScanner[23223]: Making
>> attempt 3 at processing
>> >> message nABBuKZR024867
>> >
>> > There may be some relevant log lines in between
>> currently missing. At least
>> > an indication which scanner is detecting this. Which
>> scanner is that BTW? Is
>> > it the only scanner? What are the other log lines?
>> >
>> > And given the nature of the message I think you would
>> not mind sharing the
>> > content of that message somewhere so others can have a
>> look at it also.
>> >
>> > I would propably never see these as the sender is
>> using dialup networks and
>> > they would most likely be killed before the DATA
>> line.
>> >
>> > Hugo.
>> >
>> Apart from Hugos' excellent notes, one can see that the
>> processing db
>> thing does exactly what it is supposed to. It is handling a
>> situation
>> where a message is responsible for killing MailScanner. You
>> have the
>> message in your quarantine, for further scrutiny (perhaps
>> upload it to
>> Virus Total (or similar site) to see what AV scanners think
>> of it
>> etc). Since it very likely is a baddie, you could lielky
>> pastebin it,
>> so that we can have a look at it/try it on our systems (see
>> if the
>> killing thing is a) something local to your machine, and b)
>> something
>> (bug or not) we (or rather... Jules:-) can handle in the
>> code).
>>
>> Cheers
>> --
>> -- Glenn
>
>
> Hello Hugo, Glenn, all
>
> I looked into the logs again and did find the following line.  It is the second line that I think I failed to post.
>
> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] <HTML/Irsphish (exact)> ./nABBuKZR024867/msg-20311-2.html
> Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus  in
>
> This line is repeated each time MailScanner tries to process the message.
> I am unsure which scanner is catching it, the logs show nothing.  I am running clam, mcafee, and f-prot-6
>
Looks like f-prot to me (well... not any mcafee or clamd thing, at least:-).
Could you run the wrapper on the directory? You might need copy the
quarantine dir for it into a tmp folder, to mimic how the situation
looks when MS calls the wrapper ... You also need look in
SweepVirus.pm to see what, if any, options you should pass to it.

> I have loaded to pastebin  http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing.
>
But that's not the complete message. Nor is it the unpacked
attachments. This is why you should check what actually triggers the
AV, as well as which AV gets it.
If nothing else, you should run the commandline tool for each scanner
(clamdscan, uvscan ...) on the directory containing the quarantined
item(s).
Exactloy what files do you have there?

> Thank you,
> Brett
>
Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list