Malformed signature kills MailScanner

[Alvaro Marin]

Hello,

two days ago, we started to receive messages with a zip attachment.
Those messages were killing MailScanner processes so the queue started 
to grow up.
ClamAV wasy detecting those messages with the "rogue.hdb" signatures of 
Sanesecurity:

Mar 12 00:01:28 192.168.66.215 clamd[7666]: 
/var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip: 
Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
Mar 12 00:01:28 192.168.66.215 clamd[7666]: 
/var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message: 
Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND

As you see, the name of the virus has a " " at the end.  Logs show this 
strange line:

Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found spam-virus  in

I changed the rogue.hdb signature file and removed the space at the end 
of the line and then the messages were processed fine and the queue was 
processed.

Now I see that the signature is correct, without that space, but for 
example there are other examples:

$ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose
2011-03-14 15:43:56 URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb 
[119235/119235] -> "rogue.hdb" [1]
$ grep " $" rogue.hdb
424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110
9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268
3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694

(those signatures have a space at the end of the line).

I'll notify to the signature's creator to correct this, but why 
MailScanner dies when the signature has an space? Can be fixed to check it?

Thanks!

Regards,

-- 
Alvaro Marín Illera
Hostalia Internet
www.hostalia.com