<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Julian Field wrote:
<blockquote cite="mid:48CE134C.7080307@ecs.soton.ac.uk" type="cite">As
some of you may have already realised, a few people are having a
problem on particular OS's when using Postfix, where a message
generated by a particular Trojan are not being unpacked properly.
<br>
<br>
So Postfix users on CentOS, please can you check your logs for any
16-17Kb spams which could possibly containing an attachment called
"start.zip" (grep should find it in raw queue files, if you're
wondering how to do that for raw queue files), which have not always
been detected as infected.
<br>
<br>
You might want to use the "Archive Mail" feature of MailScanner.conf
for a while to see if you're getting anything like that, in case you
are suffering the problem.
<br>
<br>
We would very much like to know how widespread this problem is, so
please report back with your findings and we'll take a straw poll of
the respondents.
<br>
<br>
Thanks folks!
<br>
<br>
Jules
<br>
<br>
</blockquote>
<font face="Helvetica, Arial, sans-serif">Running MS 4.71.10 with
Postfix 2.3.3 and CentOS 5.2.<br>
Many of these, actually 79 in the last 36 hours or so have been caught
successfully.<br>
<br>
Sep 14 07:25:25 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:
Trojan.Fakealert-532 FOUND<br>
Sep 14 07:25:29 iolaos-new MailScanner[15957]:
/var/spool/MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip:
Trojan.Fakealert-532 FOUND<br>
Sep 14 07:26:05 iolaos-new MailScanner[15906]:
/var/spool/MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip:
Trojan.Fakealert-532 FOUND<br>
Sep 14 07:30:16 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip:
Trojan.Fakealert-532 FOUND<br>
.......<br>
cat maillog|grep DC59F8C275.169EC<br>
Sep 14 07:25:25 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:
Trojan.Fakealert-532 FOUND<br>
Sep 14 07:25:25 iolaos-new MailScanner[16162]:
/var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe:
Trojan.Fakealert-532 FOUND<br>
Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message
DC59F8C275.169EC came from 83.206.158.181<br>
Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks:
(DC59F8C275.169EC Start.exe)<br>
<br>
<br>
Andreas<br>
</font>
</body>
</html>