Problem Messages
Mark Sapiro
mark at msapiro.net
Fri Nov 13 16:00:05 GMT 2009
On Thu, Nov 12, 2009 at 07:55:12AM -0800, Brett Moss wrote:
>
> I looked into the logs again and did find the following line. It is the second line that I think I failed to post.
>
> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] <HTML/Irsphish (exact)> ./nABBuKZR024867/msg-20311-2.html
> Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus in
>
> This line is repeated each time MailScanner tries to process the message.
> I am unsure which scanner is catching it, the logs show nothing. I am running clam, mcafee, and f-prot-6
>
> I have loaded to pastebin http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing.
Found spam-virus means one of your virus scanners got a hit with a name
that matched the pattern in MailScanner's configuration setting
Virus Names Which Are Spam =
These are intended to by clam hits on Sanesecurity spam signatures.
Your message on the pastebin hits
winnow.botnet.ff.trojans.4190.UNOFFICIAL
on my system. This sig is winnow.botnet.ff.trojans.4190 from the
winnow_malware_links.ndb database. See
<http://www.sanesecurity.net/databases.htm>.
This sig decodes to
(2e|2f|40|20|3c)mikkuo.me.uk(27|22|20|2f|3d|3e|0a|0d)
and hits on the /www.irs.gov.mikkuo.me.uk/ URL in the message.
--
Mark Sapiro mark at msapiro net The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list