On Sun, 02 Jan 2005 11:20:43 +0000, Graham Watkins wrote: > deedee E wrote: > > > > I confess to some confusion about your problem. Is there some > > reason you are forced to execute the worm-infested e-mail while > > running Windows? Why not just treat it like junk mail and delete > > it? Isn't it junk mail? > > I'm not executing anything. I'm not doing anything with mail in > windows. I'm not treating it as junk mail because these worms are > not (visibly) attached to any individual mail. They are attached > to the mail folders in my personal Mozilla (and now Evolution) > settings. This is what I get from a Clamav scan:
As far as I can tell, the mystery from your perspective is that these worms have somehow gotten into your Inbox folder and you're worried that you can't get them out. I can hear your frustration, but understand ours. There is no mystery here. Read on. > .evolution/mail/local/Inbox: Worm.Bagle.AP FOUND > .evolution/mail/local/Inbox.sbd/Newbie: Worm.SomeFool.P FOUND > (rest of scan snipped) > ----------- SCAN SUMMARY ----------- > Known viruses: 25253 > Scanned directories: 31 > Scanned files: 59 > Infected files: 2 > Data scanned: 62.38 MB > I/O buffer size: 131072 bytes > Time: 76.410 sec (1 m 16 s) > [EMAIL PROTECTED] graham]$ Your system is telling you in no uncertain terms where these worms are hanging out, i.e., /.evolution/mail/local/Inbox and /.evolution/mail/local/Inbox.sbd/newbie:. Take Anne's advice about emptying your Trash and compacting your mailboxes. Then, run the scan again. If the worms still appear, then take the advice I gave in my previous post on this, and open your favorite text editor -- kate, kwrite, joe, ed, emacs, vi -- it doesn't matter. Go to the folder Inbox and open each file you find there in the text editor. It doesn't matter if your mail is in mbox or mdir format, they are both human readable using a text editor. Check for any messages that include binaries, i.e., it looks like garbage and you can't read it. Note in the header of each of those files Content-Type, From, Subject, and Date. E-mail headers are always in plain text. Go back to Evolution and look in your Inbox for those particular e-mails. Most people have Sender, Subject and Date showing so they should be very easy to spot. Open in Evolution the ones you noted with the binary formats. You now should be able to see what the attachment is as well as why you kept the post. If you delete the affected posts, that should end your problem. Let's say, however, that you still don't find anything. Then, your AV software is giving you false positives. Worms, viruses, and so forth do not live in limbo. There cannot be a mysterious presence. They are always connected with one or more files (even on Windows systems). They are visible if you know where to look. Go to Symantec or one of the other sites that provides this kind of information. They will tell you exactly how those worms act, which files they leave in their wake, and where they are left on a system. Do a find on your computer for the file names that the AV site says the worms use, if you're still concerned after reading what the AV sites have to say. The malcode must be in individual files which can be removed individually. > There are no dodgy files .exe, .com, .pif or otherwise. If they > had been attached to individual mails, I would have known about > them already. I thought that I had made this clear - apparently > not. > The problem as I see it is to find some way of disinfecting these > files *without having to wipe all my existing mail*. This is why > I was asking about the bug in Klamav which prevents me from > scanning individual mails in Evolution. I doubt that there is such a bug in Klamav. I don't think it was ever intended to do what you want, i.e., scan mail in an MUA (in this case Evolution). It's my belief that you're using it for a different purpose than it was created for. I think it's supposed to scan mail in an MTA. However, I won't swear to that because I don't use the software. It is possible that the affected messages are not able to be disinfected, i.e., they may only contain the worm and nothing else, so the individual file/post must be deleted to get rid of the attachment containing the worm. Mdir mailboxes save the messages individually; mbox mailboxes append each new message to the end of the previous one for storage. However, both kinds of mailboxes allow you to remove messages individually using your MUA. You don't have to delete all the mail in a mailbox to get rid of individual problem posts. A folder cannot harbor a worm. Folders hold files. Files can harbor worms. > My Windows setup has a fairly regularly updated Norton AV on it > but life's too short to boot into Windows just to run a scan - > that's one of the reasons I installed Clamav/Klamav. The rpm > version of Klamav is quite old (0.6) and is giving me the > problem, i.e. not installing Klammail. There is a much newer > version (0.9) on the Klamav site but it's source code and won't > compile on my system. Evidently no-one here has had the Klamav > experience. Hope none of you ever need to. What you're seeing is the fact that people don't try to do what you want to do on stand alone systems. What you want is typically only useful for mail servers, i.e., a network that receives all its mail through a single server. Deleting individual infected e-mail handles this problem on a stand alone system. If you feel you must continue using this software in this way, upgrade to a current version suitable for your system (maybe even upgrade your system). Usually one can find a site or mirror with all the versions for each application ever released. Start with the most current and then try each release going backwards until you find one that will compile on your system. It should be less likely to give you a false positive. deedee Registered Linux User #327485 Visit "WordStar & GNU/Linux" http://www.wordstar2.com Also, see WordStar Users Group Community http://www.wordstar2.com/WordStar_Users/index.php -- _______________________________________________ Find what you are looking for with the Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
