Malformed signature kills MailScanner

Jeff Earickson jaearick at colby.edu
Mon Mar 14 17:39:31 GMT 2011


All (And Julian),

I am willing to bet that this bug is what has been biting us who have
been sending emails
with the subject "Making attempt # at processing message".  It smells
similar.  Thanks for the
debugging effort; I didn't have much to go on.

Jeff Earickson
Colby College

On Mon, Mar 14, 2011 at 12:53 PM, Alvaro Marin <alvaro at hostalia.com> wrote:
> Hi,
>
> I've been debugging the code and this is the result:
>
> #/opt/MailScanner/bin/MailScanner --debug
> ...
> Have a batch of 1 message.
> Output is "INFECTED:: Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL ::
> ./D30232D90002.AFF7F/nnMy_Documents.zip"
> virus = "Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL " re =
> "(?:^\s*Sane.*UNOFFICIAL\s*$|^\s*HTML\/.*\s*$|^\s*.*Phish.*\s*$)"
> Processing line "" produced
> ScannerOutput = "0 D30232D90002.AFF7F Sanesecurity.Rogue.0hr.0903v13268
> .UNOFFICIAL "
> Found spam-virus: ,
> id=
> Can't call method "CombineReports" on unblessed reference at
> /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 731.
>
> so the problem is in SweepViruses.pm, with this part of code:
>
>          if ($ScannerOutput =~ s/^0\s+//) {
>            # It's a spam-virus and the infection name for the spam report
>            # is in $ScannerOutput
>            $ScannerOutput =~ /^(\S+)\s+(\S+)\s*$/;
>            my ($messageid, $report) = ($1, $2);
>
>            print STDERR "Found spam-virus: $messageid, $report\n";
>            MailScanner::Log::WarnLog("Found spam-virus %s in %s",
>                                      $report, $messageid);
>            $batch->{messages}{"$messageid"}->{spamvirusreport} .= ', '
>              if $batch->{"$messageid"}->{spamvirusreport};
>            $batch->{messages}{"$messageid"}->{spamvirusreport} .= $report;
>            print STDERR "id=" . $batch->{messages}{"$messageid"}->{id} .
> "\n";
>          }
>
> the regexp /^(\S+)\s+(\S+)\s*$/ doesn't match with the value of
> $ScannerOutput, due to the space in the virus's name.
>
> One solution could be to check the $virusname variable when the "split" is
> done:
>
>  ($keyword, $virusname, $filename) = split(/:: /, $line, 3);
>
> in ProcessClamAVModOutput function, to delete spaces or strange characters
> (the problem is with the name of the signature, not with MailScanner, but
> IMHO it would be better if the name could be checked to avoid these type of
> problems).
>
> Jules, what do you think?
>
> Thank you!
>
> Regards,
>
> El 14/03/11 17:17, Alvaro Marin escribió:
>>
>> Hi,
>>
>> yes, sorry:
>>
>> # /opt/MailScanner/bin/MailScanner -v
>> Running on
>> Linux relay 2.6.32-5-686-bigmem #1 SMP Wed Jan 12 04:40:25 UTC 2011 i686
>> GNU/Linux
>>
>> This is Perl version 5.010001 (5.10.1)
>>
>> This is MailScanner version 4.82.6
>> Module versions are:
>> 1.00 AnyDBM_File
>> 1.30 Archive::Zip
>> 0.23 bignum
>> 1.11 Carp
>> 2.015 Compress::Zlib
>> 1.119 Convert::BinHex
>> 0.17 Convert::TNEF
>> 2.124 Data::Dumper
>> 2.27 Date::Parse
>> 1.03 DirHandle
>> 1.06 Fcntl
>> 2.77 File::Basename
>> 2.14 File::Copy
>> 2.02 FileHandle
>> 2.07_03 File::Path
>> 0.22 File::Temp
>> 0.92 Filesys::Df
>> 3.64 HTML::Entities
>> 3.64 HTML::Parser
>> 3.57 HTML::TokeParser
>> 1.25 IO
>> 1.14 IO::File
>> 1.13 IO::Pipe
>> 2.04 Mail::Header
>> 1.89 Math::BigInt
>> 0.22 Math::BigRat
>> 3.08 MIME::Base64
>> 5.427 MIME::Decoder
>> 5.427 MIME::Decoder::UU
>> 5.427 MIME::Head
>> 5.427 MIME::Parser
>> 3.08 MIME::QuotedPrint
>> 5.427 MIME::Tools
>> 0.14 Net::CIDR
>> 1.25 Net::IP
>> 0.19 OLE::Storage_Lite
>> 1.04 Pod::Escapes
>> 3.07 Pod::Simple
>> 1.17 POSIX
>> 1.21 Scalar::Util
>> 1.82 Socket
>> 2.20 Storable
>> 1.4 Sys::Hostname::Long
>> 0.27 Sys::Syslog
>> 1.26 Test::Pod
>> 0.92 Test::Simple
>> 1.9719 Time::HiRes
>> 1.02 Time::localtime
>>
>> Optional module versions are:
>> 1.52 Archive::Tar
>> 0.23 bignum
>> missing Business::ISBN
>> missing Business::ISBN::Data
>> missing Data::Dump
>> 1.82 DB_File
>> 1.25 DBD::SQLite
>> 1.607 DBI
>> 1.16 Digest
>> 1.02 Digest::HMAC
>> 2.39 Digest::MD5
>> 2.13 Digest::SHA1
>> 1.01 Encode::Detect
>> 0.17015 Error
>> 0.2602 ExtUtils::CBuilder
>> 2.2002 ExtUtils::ParseXS
>> 2.38 Getopt::Long
>> missing Inline
>> missing IO::String
>> 1.10 IO::Zlib
>> 2.27 IP::Country
>> missing Mail::ClamAV
>> 3.003001 Mail::SpamAssassin
>> v2.007 Mail::SPF
>> 1.999001 Mail::SPF::Query
>> 0.340201 Module::Build
>> 0.20 Net::CIDR::Lite
>> 0.66 Net::DNS
>> v0.003 Net::DNS::Resolver::Programmable
>> missing Net::LDAP
>> 4.022 NetAddr::IP
>> missing Parse::RecDescent
>> missing SAVI
>> 3.17 Test::Harness
>> missing Test::Manifest
>> 2.0.0 Text::Balanced
>> 1.54 URI
>> 0.77 version
>> 0.72 YAML
>>
>>
>>
>> # /usr/local/sbin/clamd -V
>> ClamAV 0.97/12837/Mon Mar 14 16:24:09 2011
>>
>>
>> Regards,
>>
>>
>> El 14/03/11 17:08, Martin Hepworth escribió:
>>>
>>> what version of MailScanner, clamav and the libraries (mailscanner -v)
>>>
>>> --
>>> Martin Hepworth
>>> Oxford, UK
>>>
>>>
>>> On 14 March 2011 15:16, Alvaro Marin <alvaro at hostalia.com
>>> <mailto:alvaro at hostalia.com>> wrote:
>>>
>>> Hi again,
>>>
>>> just another thing, running MailScanner with --debug, died with
>>> these message:
>>>
>>> Can't call method "CombineReports" on unblessed reference at
>>> /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736.
>>>
>>> Regards,
>>>
>>>
>>> El 14/03/11 15:53, Alvaro Marin escribió:
>>>
>>> Hello,
>>>
>>> two days ago, we started to receive messages with a zip attachment.
>>> Those messages were killing MailScanner processes so the queue
>>> started
>>> to grow up.
>>> ClamAV wasy detecting those messages with the "rogue.hdb"
>>> signatures of
>>> Sanesecurity:
>>>
>>> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip:
>>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>>> Mar 12 00:01:28 192.168.66.215 clamd[7666]:
>>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message:
>>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND
>>>
>>> As you see, the name of the virus has a " " at the end. Logs
>>> show this
>>> strange line:
>>>
>>> Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found
>>> spam-virus in
>>>
>>> I changed the rogue.hdb signature file and removed the space at
>>> the end
>>> of the line and then the messages were processed fine and the
>>> queue was
>>> processed.
>>>
>>> Now I see that the signature is correct, without that space, but for
>>> example there are other examples:
>>>
>>> $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose
>>> 2011-03-14 15:43:56
>>> URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb
>>> [119235/119235] -> "rogue.hdb" [1]
>>> $ grep " $" rogue.hdb
>>> 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110
>>> 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268
>>> 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694
>>>
>>> (those signatures have a space at the end of the line).
>>>
>>> I'll notify to the signature's creator to correct this, but why
>>> MailScanner dies when the signature has an space? Can be fixed
>>> to check it?
>>>
>>> Thanks!
>>>
>>> Regards,
>>>
>>>
>>>
>>> --
>>> Alvaro Marín Illera
>>> Hostalia Internet
>>> www.hostalia.com <http://www.hostalia.com>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> <mailto:mailscanner at lists.mailscanner.info>
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>>
>
>
> --
> Alvaro Marín Illera
> Hostalia Internet
> www.hostalia.com
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!


More information about the MailScanner mailing list