Problem Messages

Mark Sapiro mark at
Fri Nov 13 16:00:05 GMT 2009

On Thu, Nov 12, 2009 at 07:55:12AM -0800, Brett Moss wrote:
> I looked into the logs again and did find the following line.  It is the second line that I think I failed to post.
> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] <HTML/Irsphish (exact)> ./nABBuKZR024867/msg-20311-2.html
> Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus  in
> This line is repeated each time MailScanner tries to process the message.
> I am unsure which scanner is catching it, the logs show nothing.  I am running clam, mcafee, and f-prot-6
> I have loaded to pastebin and I uploaded to virustotal, and it came up with nothing.

Found spam-virus means one of your virus scanners got a hit with a name
that matched the pattern in MailScanner's configuration setting

Virus Names Which Are Spam =

These are intended to by clam hits on Sanesecurity spam signatures.

Your message on the pastebin hits


on my system. This sig is winnow.botnet.ff.trojans.4190 from the
winnow_malware_links.ndb database. See

This sig decodes to


and hits on the / URL in the message.

Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list