[Declude.Virus] Skipifforging not working on Mytob

Fri, 15 Apr 2005 08:54:30 -0700 

Shortly after adding ClamAV to the Imail Server a few days ago, my system
started sending virus notices on Mytob (and so far, only Mytob) even though
I have SKIPIFFORGING in the sender.eml, recip.eml and postmaster.eml, plus I
have Mytob in the list of forging viruses in the virus.cfg. In the virus log
lines below, scanner 1 is F-Prot and scanner 2 is ClamAV.  The timing to the
addition to ClamAV may be only a coincidence.

Any ideas about what's happening?

Thanks,
John

Notice lines:
==================================================================
Declude Virus 2.0.5 caught a incoming virus 

        Subject: hello
           From: [Forged] 
             To: [EMAIL PROTECTED]
         Msg ID: <[EMAIL PROTECTED]>
         Queue#: D74590703010e25a9.SMD
      Remote IP: 63.197.109.187
Virus Name/File: W32/[EMAIL PROTECTED]  data.zip

postmaster.eml
==================================================================
SKIPIFFORGING
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: E-mail virus notice

Declude Virus %VERSION% caught a %INOROUT% virus 

        Subject: %SUBJECT%
           From: %MAILFROM% 
             To: %ALLRECIPS%
         Msg ID: %MSGID%
         Queue#: %QUEUENAME%
      Remote IP: %REMOTEIP%
Virus Name/File: %VIRUSNAME%  %VIRUSFILE%

Headers:
%HEADERS%

Virus log lines:
====================================================================
04/15/2005 02:59:36 Q74590703010e25a9 Banning .ZIP file with exe extension.
04/15/2005 02:59:36 Q74590703010e25a9 Scanner 1: Virus=W32/[EMAIL PROTECTED]
Attachment=data.zip [36] I
04/15/2005 02:59:37 Q74590703010e25a9 Scanner 2: Virus= Worm.Mytob.T-2
Attachment=data.zip [36] I
04/15/2005 02:59:37 Q74590703010e25a9 File(s) are INFECTED [W32/[EMAIL 
PROTECTED]:
1]
04/15/2005 02:59:37 Q74590703010e25a9 Deleting file with virus
04/15/2005 02:59:37 Q74590703010e25a9 Deleting E-mail with virus!
04/15/2005 02:59:37 Q74590703010e25a9 Scanned: CONTAINS A VIRUS [MIME: 2
58859]
04/15/2005 02:59:37 Q74590703010e25a9 From: [Forged] To:
[EMAIL PROTECTED] [incoming from 63.197.109.187]
04/15/2005 02:59:37 Q74590703010e25a9 Subject: hello

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to