Hi All,
I have a brand new setup here:
Red Hat 7.3
qmail 1.0.3
Spamassassin 2.31 - spamd/spamc
Clamscan 0.22
Qmail-scanner 1.13
The setup is filtering and tagging spam fine, but it is not quarantining the
klez virus as I expected it to. I (successfully) re-ran
test_installation.sh, but I continue to receive 10-15 messages/day infected
with the virus. Will someone point me in the right direction for finding
information on what is wrong with my configuration and how I might fix it,
please? I am happy to send any information pertinent to this task.
Attached below is a snip of the header from an infected message that was
caught by Norton when it reached my inbox (don't know if that helps).
Received: from [EMAIL PROTECTED] by webserver by uid 501 with
qmail-scanner-1.13
(clamscan: 0.22. spamassassin: 2.31. Clear:SA:0(-0.1/5.0):.
Processed in 2.693023 secs); 19 Aug 2002 07:33:34 -0000
X-Spam-Status: No, hits=-0.1 required=5.0
Here is the qmail-queue log wrt the same message - sorry so long, I don't
know what is relevant and what is not:
[root@webserver qmailscan]# more qmail-queue.log |grep :15457
19/08/2002 03:33:31:15457: +++ starting debugging for process 15457 by
uid=501 at 19/08/2002 03:33:31
19/08/2002 03:33:31:15457: setting UID to EUID so subprocesses can access
files generated by this script
19/08/2002 03:33:31:15457: program name is qmail-scanner-queue.pl, version
1.13
19/08/2002 03:33:31:15457: incoming SMTP connection from via smtp from
216.122.84.91
19/08/2002 03:33:31:15457: w_c: mkdir
/var/spool/qmailscan/webserver102974241142315457
19/08/2002 03:33:31:15457: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/webserver102974241142315457
[1029742411.9808]
19/08/2002 03:33:31:15457: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/webserver102974241142315457 to
/var/spool/qmailscan/working/new/webserver102974241142315457
[1029742414.4161]
19/08/2002 03:33:31:15457: d_m: starting
usr/local/bin/reformime -x/var/spool/qmailscan/webserver102974241142315457/
</var/spool/qmailscan/working/new/webserver102974241142315457
[1029742414.41648]
19/08/2002 03:33:31:15457: d_m: finished
usr/local/bin/reformime -x/var/spool/qmailscan/webserver102974241142315457/
[1029742414.4446]
19/08/2002 03:33:31:15457: d_m: Manually unpack any zip files as some virus
scanners don't do zip under Unix!
19/08/2002 03:33:31:15457: d_m: unpacking message took 0.028545 seconds
19/08/2002 03:33:31:15457: unsetting QMAILQUEUE env var
19/08/2002 03:33:31:15457: g_e_h: return-path is "[EMAIL PROTECTED]",
recips is "[EMAIL PROTECTED]"
19/08/2002 03:33:31:15457: from=SureshT <[EMAIL PROTECTED]>,subj=A
powful tool,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via
smtp from 216.122.84.91
19/08/2002 03:33:31:15457: ini_sc: start scanning
19/08/2002 03:33:31:15457: p_s: starting scan of directory
"/var/spool/qmailscan/webserver102974241142315457"...
19/08/2002 03:33:31:15457: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love
Letter Virus/Trojan'
19/08/2002 03:33:31:15457: p_s: type is a header!
19/08/2002 03:33:31:15457: p_s: checking for objects containing subject:
ILOVEYOU
19/08/2002 03:33:31:15457: p_s: '84:.{100,}' = 'Virus-date' = 'MIME Header
Buffer Overflow'
19/08/2002 03:33:31:15457: p_s: type is a header!
19/08/2002 03:33:31:15457: p_s: checking for objects containing date:
.{100,}
19/08/2002 03:33:31:15457: p_s: '85:.{100,}' = 'Virus-mime-version' = 'MIME
Header Buffer Overflow '
19/08/2002 03:33:31:15457: p_s: type is a header!
19/08/2002 03:33:31:15457: p_s: checking for objects containing
mime-version: .{100,}
19/08/2002 03:33:31:15457: p_s: '86:.{100,}' = 'Virus-resent-date' = 'MIME
Header Buffer Overflow'
19/08/2002 03:33:31:15457: p_s: type is a header!
19/08/2002 03:33:31:15457: p_s: checking for objects containing
resent-date: .{100,}
19/08/2002 03:33:31:15457: p_s:
'89:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|I1MCH2TH@yahoo.
com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|muwripa@fairesuivr
e.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZC
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog@
krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
19/08/2002 03:33:31:15457: p_s: type is a header!
19/08/2002 03:33:31:15457: p_s: checking for objects containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZCD@ex
cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog@krov
atka.net|[EMAIL PROTECTED]
19/08/2002 03:33:31:15457: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
19/08/2002 03:33:31:15457: p_s: type is a size!
19/08/2002 03:33:31:15457: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan'
19/08/2002 03:33:31:15457: p_s: type is a size!
19/08/2002 03:33:31:15457: p_s: 'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
19/08/2002 03:33:31:15457: p_s: type is a size!
19/08/2002 03:33:31:15457: p_s: skipping auto-generated file
1029742414.15459-0.webserver
19/08/2002 03:33:31:15457: p_s: checking default.bat against perlscanner
database...
19/08/2002 03:33:31:15457: p_s: file default.bat is lowercased to
default.bat and has extension .bat
19/08/2002 03:33:31:15457: p_s: compare default.bat against perlscanner
database
19/08/2002 03:33:31:15457: p_s: finished scan of dir
"/var/spool/qmailscan/webserver102974241142315457" in 0.003777 secs
19/08/2002 03:33:31:15457: ini_sc: recursively scan the directory
/var/spool/qmailscan/webserver102974241142315457/
19/08/2002 03:33:31:15457: scanloop: starting scan of directory
"/var/spool/qmailscan/webserver102974241142315457"...
19/08/2002 03:33:31:15457: clamscan: starting scan of directory
"/var/spool/qmailscan/webserver102974241142315457"...
19/08/2002 03:33:31:15457: run
usr/local/bin/clamscan -r --tempdir=/var/spool/qmailscan/webserver102974241
142315457 --disable-summary --unzip --unrar --unace --unarj --zoo --lha --ja
r --tar --tgz /var/spool/qmailscan/webserver102974241142315457 2>&1
19/08/2002 03:33:31:15457: --output of clamscan was:
19/08/2002 03:33:31:15457: clamscan: finished scan of dir
"/var/spool/qmailscan/webserver102974241142315457" in 0.047019 secs
19/08/2002 03:33:31:15457: SA: run /usr/bin/spamc -c -f <
/var/spool/qmailscan/working/new/webserver102974241142315457
19/08/2002 03:33:31:15457: spamassassin: finished scan of dir
"/var/spool/qmailscan/webserver102974241142315457" in 0.172205 secs
19/08/2002 03:33:31:15457: scanloop: finished scan of
"/var/spool/qmailscan/webserver102974241142315457"...
19/08/2002 03:33:31:15457: ini_sc: scanning message took 0.223783 seconds
19/08/2002 03:33:31:15457: q_r: fork off child into
/var/qmail/bin/qmail-queue...
19/08/2002 03:33:31:15457: cleanup: /bin/rm -rf
/var/spool/qmailscan/webserver102974241142315457/
/var/spool/qmailscan/working/new/webserver102974241142315457
19/08/2002 03:33:34:15457: all finished. Total of 2.802409 secs
Your help is very much appreciated.
Mike
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
