Malformed signature kills MailScanner

Alvaro Marin alvaro at
Mon Mar 14 14:53:03 GMT 2011


two days ago, we started to receive messages with a zip attachment.
Those messages were killing MailScanner processes so the queue started 
to grow up.
ClamAV wasy detecting those messages with the "rogue.hdb" signatures of 

Mar 12 00:01:28 clamd[7666]: 
Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
Mar 12 00:01:28 clamd[7666]: 
Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND

As you see, the name of the virus has a " " at the end.  Logs show this 
strange line:

Mar 12 00:01:48 MailScanner[17877]: Found spam-virus  in

I changed the rogue.hdb signature file and removed the space at the end 
of the line and then the messages were processed fine and the queue was 

Now I see that the signature is correct, without that space, but for 
example there are other examples:

$ wget --no-verbose
2011-03-14 15:43:56 URL: 
[119235/119235] -> "rogue.hdb" [1]
$ grep " $" rogue.hdb

(those signatures have a space at the end of the line).

I'll notify to the signature's creator to correct this, but why 
MailScanner dies when the signature has an space? Can be fixed to check it?



Alvaro Marín Illera
Hostalia Internet

More information about the MailScanner mailing list