Malware Tried to Kill MailScanner
M A Young
m.a.young at durham.ac.uk
Fri Oct 12 11:27:30 IST 2012
On Thu, 11 Oct 2012, Scott Silva wrote:
> on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
>> Sent: Thursday, October 11, 2012 11:40 AM
>> To: mailscanner at lists.mailscanner.info
>> Subject: Re: Malware Tried to Kill MailScanner
>> on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following:
>>> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night
>>> with a message that tried to kill MailScanner.
>>> The message contained a .zip file with HTML.Phishing.Pay-6 infection.
>>> Should this have happened? Is this a bug in MailScanner? Why would
>>> MailScanner crash?
>>>> This happens when the processing takes too long to complete. Sometimes
>> a deeply nested zip file, or other system >>processing. Usually the
>> message gets quarantined after the processing attempts have reached the
>> O.K. That makes sense.. Thanks.
>> How do I stop the hourly MailScanner message that is telling me this
>> Number of messages: 1
>> Tries Message Last Tried
>> ===== ======= ==========
>> 6 q9B6UwqI024249 Thu Oct 11 02:53:14 2012
> I usually have to delete the Processing.db in /var/spool/MailScanner/incoming
> Stop MailScanner, delete, and restart... A new one will be created... I'm sure
> there is some commandline magic to do this from inside MailScanner, and one of
> the smarter people on here will hopefully chime in with it...
You can avoid a restart by editing the database directly, eg.
select * from archive;
delete from archive where id='xxxxxxxxxxxxxx';
There is also a processing table, but for that table you should be careful
you don't delete anything relating to messages currently being processed.
More information about the MailScanner