Malformed signature kills MailScanner

Alvaro Marin alvaro at hostalia.com
Mon Mar 14 16:53:55 GMT 2011


Hi,

I've been debugging the code and this is the result:

#/opt/MailScanner/bin/MailScanner --debug
...
Have a batch of 1 message.
Output is "INFECTED:: Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL :: 
./D30232D90002.AFF7F/nnMy_Documents.zip"
virus = "Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL " re = 
"(?:^\s*Sane.*UNOFFICIAL\s*$|^\s*HTML\/.*\s*$|^\s*.*Phish.*\s*$)"
Processing line "" produced
ScannerOutput = "0 D30232D90002.AFF7F Sanesecurity.Rogue.0hr.0903v13268 
.UNOFFICIAL "
Found spam-virus: ,
id=
Can't call method "CombineReports" on unblessed reference at 
/opt/MailScanner/lib/MailScanner/MessageBatch.pm line 731.

so the problem is in SweepViruses.pm, with this part of code:

           if ($ScannerOutput =~ s/^0\s+//) {
             # It's a spam-virus and the infection name for the spam report
             # is in $ScannerOutput
             $ScannerOutput =~ /^(\S+)\s+(\S+)\s*$/;
             my ($messageid, $report) = ($1, $2);

             print STDERR "Found spam-virus: $messageid, $report\n";
             MailScanner::Log::WarnLog("Found spam-virus %s in %s",
                                       $report, $messageid);
             $batch->{messages}{"$messageid"}->{spamvirusreport} .= ', '
               if $batch->{"$messageid"}->{spamvirusreport};
             $batch->{messages}{"$messageid"}->{spamvirusreport} .= $report;
             print STDERR "id=" . $batch->{messages}{"$messageid"}->{id} 
. "\n";
           }

the regexp /^(\S+)\s+(\S+)\s*$/ doesn't match with the value of 
$ScannerOutput, due to the space in the virus's name.

One solution could be to check the $virusname variable when the "split" 
is done:

   ($keyword, $virusname, $filename) = split(/:: /, $line, 3);

in ProcessClamAVModOutput function, to delete spaces or strange 
characters (the problem is with the name of the signature, not with 
MailScanner, but IMHO it would be better if the name could be checked to 
avoid these type of problems).

Jules, what do you think?

Thank you!

Regards,

El 14/03/11 17:17, Alvaro Marin escribió:
> Hi,
>
> yes, sorry:
>
> # /opt/MailScanner/bin/MailScanner -v
> Running on
> Linux relay 2.6.32-5-686-bigmem #1 SMP Wed Jan 12 04:40:25 UTC 2011 i686
> GNU/Linux
>
> This is Perl version 5.010001 (5.10.1)
>
> This is MailScanner version 4.82.6
> Module versions are:
> 1.00 AnyDBM_File
> 1.30 Archive::Zip
> 0.23 bignum
> 1.11 Carp
> 2.015 Compress::Zlib
> 1.119 Convert::BinHex
> 0.17 Convert::TNEF
> 2.124 Data::Dumper
> 2.27 Date::Parse
> 1.03 DirHandle
> 1.06 Fcntl
> 2.77 File::Basename
> 2.14 File::Copy
> 2.02 FileHandle
> 2.07_03 File::Path
> 0.22 File::Temp
> 0.92 Filesys::Df
> 3.64 HTML::Entities
> 3.64 HTML::Parser
> 3.57 HTML::TokeParser
> 1.25 IO
> 1.14 IO::File
> 1.13 IO::Pipe
> 2.04 Mail::Header
> 1.89 Math::BigInt
> 0.22 Math::BigRat
> 3.08 MIME::Base64
> 5.427 MIME::Decoder
> 5.427 MIME::Decoder::UU
> 5.427 MIME::Head
> 5.427 MIME::Parser
> 3.08 MIME::QuotedPrint
> 5.427 MIME::Tools
> 0.14 Net::CIDR
> 1.25 Net::IP
> 0.19 OLE::Storage_Lite
> 1.04 Pod::Escapes
> 3.07 Pod::Simple
> 1.17 POSIX
> 1.21 Scalar::Util
> 1.82 Socket
> 2.20 Storable
> 1.4 Sys::Hostname::Long
> 0.27 Sys::Syslog
> 1.26 Test::Pod
> 0.92 Test::Simple
> 1.9719 Time::HiRes
> 1.02 Time::localtime
>
> Optional module versions are:
> 1.52 Archive::Tar
> 0.23 bignum
> missing Business::ISBN
> missing Business::ISBN::Data
> missing Data::Dump
> 1.82 DB_File
> 1.25 DBD::SQLite
> 1.607 DBI
> 1.16 Digest
> 1.02 Digest::HMAC
> 2.39 Digest::MD5
> 2.13 Digest::SHA1
> 1.01 Encode::Detect
> 0.17015 Error
> 0.2602 ExtUtils::CBuilder
> 2.2002 ExtUtils::ParseXS
> 2.38 Getopt::Long
> missing Inline
> missing IO::String
> 1.10 IO::Zlib
> 2.27 IP::Country
> missing Mail::ClamAV
> 3.003001 Mail::SpamAssassin
> v2.007 Mail::SPF
> 1.999001 Mail::SPF::Query
> 0.340201 Module::Build
> 0.20 Net::CIDR::Lite
> 0.66 Net::DNS
> v0.003 Net::DNS::Resolver::Programmable
> missing Net::LDAP
> 4.022 NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 3.17 Test::Harness
> missing Test::Manifest
> 2.0.0 Text::Balanced
> 1.54 URI
> 0.77 version
> 0.72 YAML
>
>
>
> # /usr/local/sbin/clamd -V
> ClamAV 0.97/12837/Mon Mar 14 16:24:09 2011
>
>
> Regards,
>
>
> El 14/03/11 17:08, Martin Hepworth escribió:
>> what version of MailScanner, clamav and the libraries (mailscanner -v)
>>
>> --
>> Martin Hepworth
>> Oxford, UK
>>
>>
>> On 14 March 2011 15:16, Alvaro Marin <alvaro at hostalia.com
>> <mailto:alvaro at hostalia.com>> wrote:
>>
>> Hi again,
>>
>> just another thing, running MailScanner with --debug, died with
>> these message:
>>
>> Can't call method "CombineReports" on unblessed reference at
>> /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736.
>>
>> Regards,
>>
>>
>> El 14/03/11 15:53, Alvaro Marin escribió:
>>
>> Hello,
>>
>> two days ago, we started to receive messages with a zip attachment.
>> Those messages were killing MailScanner processes so the queue
>> started
>> to grow up.
>> ClamAV wasy detecting those messages with the "rogue.hdb"
>> signatures of
>> Sanesecurity:
>>
>> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip:
>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message:
>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>>
>> As you see, the name of the virus has a " " at the end. Logs
>> show this
>> strange line:
>>
>> Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found
>> spam-virus in
>>
>> I changed the rogue.hdb signature file and removed the space at
>> the end
>> of the line and then the messages were processed fine and the
>> queue was
>> processed.
>>
>> Now I see that the signature is correct, without that space, but for
>> example there are other examples:
>>
>> $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose
>> 2011-03-14 15:43:56
>> URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb
>> [119235/119235] -> "rogue.hdb" [1]
>> $ grep " $" rogue.hdb
>> 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110
>> 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268
>> 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694
>>
>> (those signatures have a space at the end of the line).
>>
>> I'll notify to the signature's creator to correct this, but why
>> MailScanner dies when the signature has an space? Can be fixed
>> to check it?
>>
>> Thanks!
>>
>> Regards,
>>
>>
>>
>> --
>> Alvaro Marín Illera
>> Hostalia Internet
>> www.hostalia.com <http://www.hostalia.com>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
>


-- 
Alvaro Marín Illera
Hostalia Internet
www.hostalia.com



More information about the MailScanner mailing list