Problem Messages

Mark Sapiro mark at msapiro.net
Fri Nov 13 16:00:05 GMT 2009


On Thu, Nov 12, 2009 at 07:55:12AM -0800, Brett Moss wrote:
> 
> I looked into the logs again and did find the following line.  It is the second line that I think I failed to post.
> 
> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] <HTML/Irsphish (exact)> ./nABBuKZR024867/msg-20311-2.html
> Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus  in
> 
> This line is repeated each time MailScanner tries to process the message.
> I am unsure which scanner is catching it, the logs show nothing.  I am running clam, mcafee, and f-prot-6
> 
> I have loaded to pastebin  http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing.


Found spam-virus means one of your virus scanners got a hit with a name
that matched the pattern in MailScanner's configuration setting

Virus Names Which Are Spam =

These are intended to by clam hits on Sanesecurity spam signatures.

Your message on the pastebin hits

winnow.botnet.ff.trojans.4190.UNOFFICIAL

on my system. This sig is winnow.botnet.ff.trojans.4190 from the
winnow_malware_links.ndb database. See
<http://www.sanesecurity.net/databases.htm>.


This sig decodes to

(2e|2f|40|20|3c)mikkuo.me.uk(27|22|20|2f|3d|3e|0a|0d)

and hits on the /www.irs.gov.mikkuo.me.uk/ URL in the message.

-- 
Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the MailScanner mailing list