Malformed signature kills MailScanner

Alvaro Marin alvaro at hostalia.com
Mon Mar 14 16:17:03 GMT 2011 

Hi,

yes, sorry:

# /opt/MailScanner/bin/MailScanner -v
Running on
Linux relay 2.6.32-5-686-bigmem #1 SMP Wed Jan 12 04:40:25 UTC 2011 i686 
GNU/Linux

This is Perl version 5.010001 (5.10.1)

This is MailScanner version 4.82.6
Module versions are:
1.00	AnyDBM_File
1.30	Archive::Zip
0.23	bignum
1.11	Carp
2.015	Compress::Zlib
1.119 	Convert::BinHex
0.17	Convert::TNEF
2.124	Data::Dumper
2.27	Date::Parse
1.03	DirHandle
1.06	Fcntl
2.77	File::Basename
2.14	File::Copy
2.02	FileHandle
2.07_03	File::Path
0.22	File::Temp
0.92	Filesys::Df
3.64	HTML::Entities
3.64	HTML::Parser
3.57	HTML::TokeParser
1.25	IO
1.14	IO::File
1.13	IO::Pipe
2.04	Mail::Header
1.89	Math::BigInt
0.22	Math::BigRat
3.08	MIME::Base64
5.427	MIME::Decoder
5.427	MIME::Decoder::UU
5.427	MIME::Head
5.427	MIME::Parser
3.08	MIME::QuotedPrint
5.427	MIME::Tools
0.14	Net::CIDR
1.25	Net::IP
0.19	OLE::Storage_Lite
1.04	Pod::Escapes
3.07	Pod::Simple
1.17	POSIX
1.21	Scalar::Util
1.82	Socket
2.20	Storable
1.4	Sys::Hostname::Long
0.27	Sys::Syslog
1.26	Test::Pod
0.92	Test::Simple
1.9719	Time::HiRes
1.02	Time::localtime

Optional module versions are:
1.52	Archive::Tar
0.23	bignum
missing	Business::ISBN
missing	Business::ISBN::Data
missing	Data::Dump
1.82	DB_File
1.25	DBD::SQLite
1.607	DBI
1.16	Digest
1.02	Digest::HMAC
2.39	Digest::MD5
2.13	Digest::SHA1
1.01	Encode::Detect
0.17015	Error
0.2602	ExtUtils::CBuilder
2.2002	ExtUtils::ParseXS
2.38	Getopt::Long
missing	Inline
missing	IO::String
1.10	IO::Zlib
2.27	IP::Country
missing	Mail::ClamAV
3.003001	Mail::SpamAssassin
v2.007	Mail::SPF
1.999001	Mail::SPF::Query
0.340201	Module::Build
0.20	Net::CIDR::Lite
0.66	Net::DNS
v0.003	Net::DNS::Resolver::Programmable
missing	Net::LDAP
  4.022	NetAddr::IP
missing	Parse::RecDescent
missing	SAVI
3.17	Test::Harness
missing	Test::Manifest
2.0.0	Text::Balanced
1.54	URI
0.77	version
0.72	YAML



# /usr/local/sbin/clamd -V
ClamAV 0.97/12837/Mon Mar 14 16:24:09 2011


Regards,


El 14/03/11 17:08, Martin Hepworth escribió:
> what version of MailScanner, clamav and the libraries (mailscanner -v)
>
> --
> Martin Hepworth
> Oxford, UK
>
>
> On 14 March 2011 15:16, Alvaro Marin <alvaro at hostalia.com
> <mailto:alvaro at hostalia.com>> wrote:
>
>     Hi again,
>
>     just another thing, running MailScanner with --debug, died with
>     these message:
>
>     Can't call method "CombineReports" on unblessed reference at
>     /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736.
>
>     Regards,
>
>
>     El 14/03/11 15:53, Alvaro Marin escribió:
>
>         Hello,
>
>         two days ago, we started to receive messages with a zip attachment.
>         Those messages were killing MailScanner processes so the queue
>         started
>         to grow up.
>         ClamAV wasy detecting those messages with the "rogue.hdb"
>         signatures of
>         Sanesecurity:
>
>         Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>         /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip:
>         Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>         Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>         /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message:
>         Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>
>         As you see, the name of the virus has a " " at the end. Logs
>         show this
>         strange line:
>
>         Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found
>         spam-virus in
>
>         I changed the rogue.hdb signature file and removed the space at
>         the end
>         of the line and then the messages were processed fine and the
>         queue was
>         processed.
>
>         Now I see that the signature is correct, without that space, but for
>         example there are other examples:
>
>         $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose
>         2011-03-14 15:43:56
>         URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb
>         [119235/119235] -> "rogue.hdb" [1]
>         $ grep " $" rogue.hdb
>         424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110
>         9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268
>         3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694
>
>         (those signatures have a space at the end of the line).
>
>         I'll notify to the signature's creator to correct this, but why
>         MailScanner dies when the signature has an space? Can be fixed
>         to check it?
>
>         Thanks!
>
>         Regards,
>
>
>
>     --
>     Alvaro Marín Illera
>     Hostalia Internet
>     www.hostalia.com <http://www.hostalia.com>
>
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>     Before posting, read http://wiki.mailscanner.info/posting
>
>     Support MailScanner development - buy the book off the website!
>
>


-- 
Alvaro Marín Illera
Hostalia Internet
www.hostalia.com

More information about the MailScanner mailing list