Problem Messages
--[ UxBoD ]--
uxbod at splatnix.net
Wed Jan 13 08:31:00 GMT 2010
----- "Jules Field" <MailScanner at ecs.soton.ac.uk> wrote:
> Please can you send me the message so I can see what happens?
>
> As usual, upload to an unlinked URL on a website and email me directly
>
> the URL it resides at.
>
> Thanks!
> Jules.
>
> On 13/01/2010 07:37, --[ UxBoD ]-- wrote:
> > Hi,
> >
> > I got spammed with the following message over night.
> >
> > Number of messages: 1
> > Tries Message Last Tried
> > ===== ======= ==========
> > 6 2AE74398847B.A6EE2 Tue Jan 12 22:17:26 2010
> >
> > I have checked /var/spool/MailScanner/incoming/Processing.db and the
> message is listed:
> >
> > strings Processing.db
> > SQLite format 3
> > {tablearchivearchive
> > CREATE TABLE archive (id TEXT, count INT, nexttime INT)J
> > gindexid_uniqprocessing
> > CREATE UNIQUE INDEX id_uniq ON processing(id)[
> > tableprocessingprocessing
> > CREATE TABLE processing (id TEXT, count INT, nexttime INT)
> > 892FD3988413.A95E6
> > 26E5239883ED.A900C
> > KMwT
> > .892FD3988413.A95E6
> > 26E5239883ED.A900C
> > 2AE74398847B.A6EE2
> >
> > Yet the message has actually been sorted in the Quarantine ?
> >
> > # ls -ld quarantine/20100112/2AE74398847B.A6EE2
> > drwxrwx--- 2 postfix apache 4096 Jan 13 07:31
> quarantine/20100112/2AE74398847B.A6EE2
> >
> > If it has been moved to the quarantine then should it not have been
> removed from the Processing database ?
> >
> > Jan 12 21:53:15 gateway MailScanner[3575]: [Found password
> stealer]<HTML/Bayfraud.CD (exact)>
> ./2AE74398847B.A6EE2/msg-3575-13.html
> > Jan 12 21:57:16 gateway MailScanner[3561]: Making attempt 2 at
> processing message 2AE74398847B.A6EE2
> > Jan 12 21:57:18 gateway MailScanner[3561]: [Found password
> stealer]<HTML/Bayfraud.CD (exact)>
> ./2AE74398847B.A6EE2/msg-3561-5.html
> > Jan 12 22:02:25 gateway MailScanner[3557]: Making attempt 3 at
> processing message 2AE74398847B.A6EE2
> > Jan 12 22:02:26 gateway MailScanner[3557]: [Found password
> stealer]<HTML/Bayfraud.CD (exact)>
> ./2AE74398847B.A6EE2/msg-3557-5.html
> > Jan 12 22:06:55 gateway MailScanner[7797]: Making attempt 4 at
> processing message 2AE74398847B.A6EE2
> > Jan 12 22:06:57 gateway MailScanner[7797]: [Found password
> stealer]<HTML/Bayfraud.CD (exact)>
> ./2AE74398847B.A6EE2/msg-7797-3.html
> > Jan 12 22:10:38 gateway MailScanner[3552]: Making attempt 5 at
> processing message 2AE74398847B.A6EE2
> > Jan 12 22:10:40 gateway MailScanner[3552]: [Found password
> stealer]<HTML/Bayfraud.CD (exact)>
> ./2AE74398847B.A6EE2/msg-3552-9.html
> > Jan 12 22:14:30 gateway MailScanner[7757]: Making attempt 6 at
> processing message 2AE74398847B.A6EE2
> > Jan 12 22:14:31 gateway MailScanner[7757]: [Found password
> stealer]<HTML/Bayfraud.CD (exact)>
> ./2AE74398847B.A6EE2/msg-7757-2.html
> > Jan 12 22:14:35 gateway MailScanner[8075]: Warning: skipping message
> 2AE74398847B.A6EE2 as it has been attempted too many times
> > Jan 12 22:14:35 gateway MailScanner[8075]: Quarantined message
> 2AE74398847B.A6EE2 as it caused MailScanner to crash several times
> > Jan 12 22:14:35 gateway MailScanner[8075]: Saved entire message to
> /var/spool/MailScanner/quarantine/20100112/2AE74398847B.A6EE2
> > Jan 12 22:14:35 gateway MailScanner[8075]: Logging message
> 2AE74398847B.A6EE2 to SQL
> > Jan 12 22:14:35 gateway MailScanner[8801]: 2AE74398847B.A6EE2:
> Logged to MailWatch SQL
> >
> >
>
> Jules
>
On its way :)
--
Thanks, Phil
More information about the MailScanner
mailing list