Malformed signature kills MailScanner

Alvaro Marin alvaro at hostalia.com
Mon Mar 14 15:16:29 GMT 2011


Hi again,

just another thing, running MailScanner with --debug, died with these 
message:

Can't call method "CombineReports" on unblessed reference at 
/opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736.

Regards,


El 14/03/11 15:53, Alvaro Marin escribió:
> Hello,
>
> two days ago, we started to receive messages with a zip attachment.
> Those messages were killing MailScanner processes so the queue started
> to grow up.
> ClamAV wasy detecting those messages with the "rogue.hdb" signatures of
> Sanesecurity:
>
> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip:
> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message:
> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>
> As you see, the name of the virus has a " " at the end. Logs show this
> strange line:
>
> Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found spam-virus in
>
> I changed the rogue.hdb signature file and removed the space at the end
> of the line and then the messages were processed fine and the queue was
> processed.
>
> Now I see that the signature is correct, without that space, but for
> example there are other examples:
>
> $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose
> 2011-03-14 15:43:56 URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb
> [119235/119235] -> "rogue.hdb" [1]
> $ grep " $" rogue.hdb
> 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110
> 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268
> 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694
>
> (those signatures have a space at the end of the line).
>
> I'll notify to the signature's creator to correct this, but why
> MailScanner dies when the signature has an space? Can be fixed to check it?
>
> Thanks!
>
> Regards,
>


-- 
Alvaro Marín Illera
Hostalia Internet
www.hostalia.com



More information about the MailScanner mailing list