Problem Messages

Brett Moss bamcomp at yahoo.com
Fri Nov 13 16:04:41 GMT 2009



--- On Fri, 11/13/09, Glenn Steen <glenn.steen at gmail.com> wrote:

> From: Glenn Steen <glenn.steen at gmail.com>
> Subject: Re: Problem Messages
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Date: Friday, November 13, 2009, 12:55 AM
> 2009/11/12 Brett Moss <bamcomp at yahoo.com>:
> > --- On Thu, 11/12/09, Glenn Steen <glenn.steen at gmail.com>
> wrote:
> >
> >> From: Glenn Steen <glenn.steen at gmail.com>
> >> Subject: Re: Problem Messages
> >> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> >> Date: Thursday, November 12, 2009, 5:39 AM
> >> 2009/11/12 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
> >> > On 11/11/09 18:28, Brett Moss wrote:
> >> >>
> >> >> [root at mailgw ~]# cat
> /var/log/maillog|grep
> >> nABBuKZR024867
> >> >> Nov 11 03:56:33 mailgw sendmail[24867]:
> >> nABBuKZR024867:
> >> >> from=<kristieamn4 at sonictimeworks.com>,
> >> size=2158, class=0, nrcpts=1,
> >> >>
> >>
> msgid=<000d01ca62c5$f6f7e140$6400a8c0 at kristieamn4>,
> >> proto=ESMTP, daemon=MTA,
> >> >> relay=cable-94-189-200-50.dynamic.sbb.rs
> >> [94.189.200.50]
> >> >> Nov 11 03:56:46 mailgw
> MailScanner[20311]: [Found
> >> password
> >> >> stealer]<HTML/Irsphish (exact)>
> >>  ./nABBuKZR024867/msg-20311-2.html
> >> >> Nov 11 04:01:16 mailgw
> MailScanner[21397]: Making
> >> attempt 2 at processing
> >> >> message nABBuKZR024867
> >> >> Nov 11 04:01:29 mailgw
> MailScanner[21397]: [Found
> >> password
> >> >> stealer]<HTML/Irsphish (exact)>
> >>  ./nABBuKZR024867/msg-21397-3.html
> >> >> Nov 11 04:03:54 mailgw
> MailScanner[23223]: Making
> >> attempt 3 at processing
> >> >> message nABBuKZR024867
> >> >
> >> > There may be some relevant log lines in
> between
> >> currently missing. At least
> >> > an indication which scanner is detecting
> this. Which
> >> scanner is that BTW? Is
> >> > it the only scanner? What are the other log
> lines?
> >> >
> >> > And given the nature of the message I think
> you would
> >> not mind sharing the
> >> > content of that message somewhere so others
> can have a
> >> look at it also.
> >> >
> >> > I would propably never see these as the
> sender is
> >> using dialup networks and
> >> > they would most likely be killed before the
> DATA
> >> line.
> >> >
> >> > Hugo.
> >> >
> >> Apart from Hugos' excellent notes, one can see
> that the
> >> processing db
> >> thing does exactly what it is supposed to. It is
> handling a
> >> situation
> >> where a message is responsible for killing
> MailScanner. You
> >> have the
> >> message in your quarantine, for further scrutiny
> (perhaps
> >> upload it to
> >> Virus Total (or similar site) to see what AV
> scanners think
> >> of it
> >> etc). Since it very likely is a baddie, you could
> lielky
> >> pastebin it,
> >> so that we can have a look at it/try it on our
> systems (see
> >> if the
> >> killing thing is a) something local to your
> machine, and b)
> >> something
> >> (bug or not) we (or rather... Jules:-) can handle
> in the
> >> code).
> >>
> >> Cheers
> >> --
> >> -- Glenn
> >
> >
> > Hello Hugo, Glenn, all
> >
> > I looked into the logs again and did find the
> following line.  It is the second line that I think I
> failed to post.
> >
> > Nov 11 03:56:46 mailgw MailScanner[20311]: [Found
> password stealer] <HTML/Irsphish (exact)>
> ./nABBuKZR024867/msg-20311-2.html
> > Nov 11 03:56:46 mailgw MailScanner[20311]: Found
> spam-virus  in
> >
> > This line is repeated each time MailScanner tries to
> process the message.
> > I am unsure which scanner is catching it, the logs
> show nothing.  I am running clam, mcafee, and f-prot-6
> >
> Looks like f-prot to me (well... not any mcafee or clamd
> thing, at least:-).
> Could you run the wrapper on the directory? You might need
> copy the
> quarantine dir for it into a tmp folder, to mimic how the
> situation
> looks when MS calls the wrapper ... You also need look in
> SweepVirus.pm to see what, if any, options you should pass
> to it.
> 
> > I have loaded to pastebin  http://pastebin.com/m47f98b75 and I uploaded to
> virustotal, and it came up with nothing.
> >
> But that's not the complete message. Nor is it the
> unpacked
> attachments. This is why you should check what actually
> triggers the
> AV, as well as which AV gets it.
> If nothing else, you should run the commandline tool for
> each scanner
> (clamdscan, uvscan ...) on the directory containing the
> quarantined
> item(s).
> Exactloy what files do you have there?
> 

Hello,
You are correct it was f-prot-6 that was finding the infection.  Clam also finds it to be infected, but outputs a different message.  Below is the result of the scan.  What I posted to pastebin is the full contects of the mail, or all I can find.  It is the same single file that I scanned with similar results anyhow.  The nABBuKZR024867 directory only contains the file named message.
Does this indicate I have something misconfigured in the spam-virus portion of my MailScanner.conf?

[root at mailgw MailScanner]# fpscan --report /var/spool/MailScanner/quarantine/20091111/nABBuKZR024867/

F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10)
FRISK Software International (C) Copyright 1989-2007

Engine version: 4.4.4.56
Virus signatures: 200911131256952f24af491f0f0c22b2ab197902aa5e
                  (/opt/f-prot/antivir.def)

[Found password stealer] <HTML/Irsphish (exact, not disinfectable)>     /var/spool/MailScanner/quarantine/20091111/nABBuKZR024867/message->(qp)
[Contains infected objects]     /var/spool/MailScanner/quarantine/20091111/nABBuKZR024867/message


Results:

Files: 1
Skipped files: 0
MBR/boot sectors checked: 0
Objects scanned: 3
Infected objects: 1
Files with errors: 0
Disinfected: 0

Running time: 00:02

Thank you,
Brett


      


More information about the MailScanner mailing list