Malware Tried to Kill MailScanner

M A Young m.a.young at durham.ac.uk
Fri Oct 12 11:27:30 IST 2012 

On Thu, 11 Oct 2012, Scott Silva wrote:

> on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following:
>>
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
>> Silva
>> Sent: Thursday, October 11, 2012 11:40 AM
>> To: mailscanner at lists.mailscanner.info
>> Subject: Re: Malware Tried to Kill MailScanner
>>
>> on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following:
>>> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night
>>> with a message that tried to kill MailScanner.
>>>
>>> The message contained a .zip file with HTML.Phishing.Pay-6 infection.
>>>
>>>
>>>
>>> Should this have happened? Is this a bug in MailScanner? Why would
>>> MailScanner crash?
>>>
>>>
>>>
>>>
>> <snip>
>>>> This happens when the processing takes too long to complete. Sometimes
>> a deeply nested zip file, or other system >>processing. Usually the
>> message gets quarantined after the processing attempts have reached the
>> limit...
>>
>> O.K. That makes sense.. Thanks.
>> How do I stop the hourly MailScanner message that is telling me this
>> happened?
>> <below>
>>
>> Archive:
>>
>> Number of messages: 1
>> Tries	Message	Last Tried
>> =====	=======	==========
>> 6	q9B6UwqI024249	Thu Oct 11 02:53:14 2012
>>
> I usually have to delete the Processing.db in /var/spool/MailScanner/incoming
> Stop MailScanner, delete, and restart... A new one will be created... I'm sure
> there is some commandline magic to do this from inside MailScanner, and one of
> the smarter people on here will hopefully chime in with it...

You can avoid a restart by editing the database directly, eg.
sqlite3 /var/spool/MailScanner/incoming/Processing.db
.header on
select * from archive;
delete from archive where id='xxxxxxxxxxxxxx';
.quit

There is also a processing table, but for that table you should be careful 
you don't delete anything relating to messages currently being processed.

 	Michael Young

More information about the MailScanner mailing list