Malformed signature kills MailScanner

Martin Hepworth maxsec at gmail.com
Mon Mar 14 16:08:52 GMT 2011 

what version of MailScanner, clamav and the libraries (mailscanner -v)

-- 
Martin Hepworth
Oxford, UK


On 14 March 2011 15:16, Alvaro Marin <alvaro at hostalia.com> wrote:

> Hi again,
>
> just another thing, running MailScanner with --debug, died with these
> message:
>
> Can't call method "CombineReports" on unblessed reference at
> /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736.
>
> Regards,
>
>
> El 14/03/11 15:53, Alvaro Marin escribió:
>
>  Hello,
>>
>> two days ago, we started to receive messages with a zip attachment.
>> Those messages were killing MailScanner processes so the queue started
>> to grow up.
>> ClamAV wasy detecting those messages with the "rogue.hdb" signatures of
>> Sanesecurity:
>>
>> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip:
>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message:
>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>>
>> As you see, the name of the virus has a " " at the end. Logs show this
>> strange line:
>>
>> Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found spam-virus in
>>
>> I changed the rogue.hdb signature file and removed the space at the end
>> of the line and then the messages were processed fine and the queue was
>> processed.
>>
>> Now I see that the signature is correct, without that space, but for
>> example there are other examples:
>>
>> $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose
>> 2011-03-14 15:43:56 URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb
>> [119235/119235] -> "rogue.hdb" [1]
>> $ grep " $" rogue.hdb
>> 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110
>> 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268
>> 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694
>>
>> (those signatures have a space at the end of the line).
>>
>> I'll notify to the signature's creator to correct this, but why
>> MailScanner dies when the signature has an space? Can be fixed to check
>> it?
>>
>> Thanks!
>>
>> Regards,
>>
>>
>
> --
> Alvaro Marín Illera
> Hostalia Internet
> www.hostalia.com
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/92360c60/attachment.html

More information about the MailScanner mailing list