Hello All,
I have similar problem like rootLinux and Jordi.
I am installing qmail-1.03 and it working fine. I am installing and
qmail-scanner-1.16 and antivirus's program f-prot and i am sure that
f-prot is working how it is expected :
(/usr/local/bin/f-prot virus
, where virus is file with klez is catching the virus)
. But when i send that virus like attachment to my users (amail),
qmail-scanner didn't catch virus's e-mail. Probably i am doing a stuped
mistake, but i don't know where...
10x a lot
Mitio
/var/spool/qmailscan/qmail-queue.log:
"
...
01/08/2003 22:01:03:3388: +++ starting debugging for process 3388 by
uid=500 at 01/08/2003 22:01:03
01/08/2003 22:01:03:3388: setting UID to EUID so subprocesses can access
files generated by this script
01/08/2003 22:01:03:3388: program name is qmail-scanner-queue.pl,
version 1.16
01/08/2003 22:01:03:3388: incoming pipe connection from via local
process 3388
01/08/2003 22:01:03:3388: w_c: mkdir
/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388
01/08/2003 22:01:03:3388: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/asha.ucc.uni-sofia.bg10597644634263388
[1059764463.39876]
01/08/2003 22:01:03:3388: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/asha.ucc.uni-sofia.bg10597644634263388
to
/var/spool/qmailscan/working/new/asha.ucc.uni-sofia.bg10597644634263388
[1059764463.40125]
01/08/2003 22:01:03:3388: d_m: starting /usr/local/bin/reformime
-x/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388/
</var/spool/qmailscan/working/new/asha.ucc.uni-sofia.bg10597644634263388
[1059764463.40167]
01/08/2003 22:01:03:3388: d_m: finished /usr/local/bin/reformime
-x/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388/
[1059764463.41063]
01/08/2003 22:01:03:3388: d_m: Manually unpack any zip files as some
virus scanners don't do zip under Unix!
01/08/2003 22:01:03:3388: d_m: unpacking message took 0.009411 seconds
01/08/2003 22:01:03:3388: unsetting QMAILQUEUE env var
01/08/2003 22:01:03:3388: g_e_h: return-path is "[EMAIL PROTECTED]", recips is "root"
01/08/2003 22:01:03:3388: [EMAIL PROTECTED]/08/2003
22:01:03:3388: p_s: checking for objects containing date: .{100,}
01/08/2003 22:01:03:3388: p_s: '86:.{100,}' = 'Virus-mime-version' =
'MIME Header Buffer Overflow '
01/08/2003 22:01:03:3388: p_s: type is a header!
01/08/2003 22:01:03:3388: p_s: checking for objects containing
mime-version: .{100,}
01/08/2003 22:01:03:3388: p_s: '87:.{100,}' = 'Virus-resent-date' =
'MIME Header Buffer Overflow'
01/08/2003 22:01:03:3388: p_s: type is a header!
01/08/2003 22:01:03:3388: p_s: checking for objects containing
resent-date: .{100,}
01/08/2003 22:01:03:3388: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' =
'Virus-to' = 'BadTrans Trojan exploit!'
01/08/2003 22:01:03:3388: p_s: type is a header!
01/08/2003 22:01:03:3388: p_s: checking for objects containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
01/08/2003 22:01:03:3388: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
01/08/2003 22:01:03:3388: p_s: type is a size!
01/08/2003 22:01:03:3388: p_s: 'happy99.exe' = '10000' = 'Happy99
Trojan'
01/08/2003 22:01:03:3388: p_s: type is a size!
01/08/2003 22:01:03:3388: p_s: 'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
01/08/2003 22:01:03:3388: p_s: type is a size!
01/08/2003 22:01:03:3388: p_s: skipping auto-generated file
1059764463.3390-0.asha.ucc.uni-sofia.bg
01/08/2003 22:01:03:3388: p_s: finished scan of dir
"/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388" in
0.004062 secsc.uni-sofia.bg,subj=failure notice,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via
local process 3388
01/08/2003 22:01:03:3388: ini_sc: start scanning
01/08/2003 22:01:03:3388: p_s: starting scan of directory
"/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388"...
01/08/2003 22:01:03:3388: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love
Letter Virus/Trojan'
01/08/2003 22:01:03:3388: p_s: type is a header!
01/08/2003 22:01:03:3388: p_s: checking for objects containing subject:
ILOVEYOU 01/08/2003 22:01:03:3388: p_s: '82:message/partial' =
'Virus-content-type' = 'Messa
ge/partial MIME attachments blocked by
policy' 01/08/2003 22:01:03:3388:
p_s: type is a header!
01/08/2003 22:01:03:3388: ini_sc: recursively scan the directory
/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388/
01/08/2003 22:01:03:3388: scanloop: starting scan of directory
"/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388"...
01/08/2003 22:01:03:3388: fprot: starting scan of directory
"/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388"...
01/08/2003 22:01:03:3388: run /usr/local/bin/f-prot -list -archive
-dumb /var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388 2>&1
01/08/2003 22:01:03:3388: --output of fprot
was: Virus scanning report - 1.
August 2003 22:01
F-PROT 3.12
SIGN.DEF created 28. July
2003 SIGN2.DEF
created 28. July 2003
MACRO.DEF created 28. July 2003
Search:
/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388 Action:
Report only
Files: "Dumb" scan of all
files Switches:
/ARCHIVE /AI
Results of virus scanning:
Files:
1 MBRs: 0
Boot sectors:
0
Objects scanned: 1
Time: 0:00
No
viruses or suspicious files/boot sectors were found.
--
01/08/2003 22:01:03:3388: fprot: finished scan of dir "/var/spool/qmailscan/asha.ucc
.uni-sofia.bg10597644634263388" in 0.078743
secs 01/08/2003 22:01:03:3388: SA:
run /usr/bin/spamc -c -f <
/var/spool/qmailscan/working/new/asha.ucc.uni-sofia.bg10597644634263388
01/08/2003 22:01:03:3388: spamassassin: finished scan of dir
"/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388" in
0.136352 secs
01/08/2003 22:01:03:3388: scanloop: finished scan of
"/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388"...
01/08/2003 22:01:03:3388: ini_sc: scanning message took 0.220069 seconds
01/08/2003 22:01:03:3388: q_r: fork off child into
/var/qmail/bin/qmail-queue...
01/08/2003 22:01:03:3388: cleanup: /bin/rm -rf
/var/spool/qmailscan/asha.ucc.uni-sofia.bg10597644634263388/
/var/spool/qmailscan/working/new/asha.ucc.uni-sofia.bg10597644634263388
01/08/2003 22:0Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 3316 invoked by uid 504); 1 Aug 2003 19:00:39 -0000
Received: from [EMAIL PROTECTED] by asha.ucc.uni-sofia.bg by uid 501
with qmail-scanner-1.16
(. spamassassin: 2.44. Clear:.
Processed in 0.279986 secs); 01 Aug 2003 19:00:39 -0000
Received: from cc.ucc.uni-sofia.bg (62.44.109.1)
Received: (qmail 30607 invoked from network); 1 Aug 2003 19:05:23 -0000
Received: from shogo.ucc.uni-sofia.bg (HELO 62.44.109.7) (62.44.109.7)
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 01 Aug 2003 21:50:49 +0000
From: nnn <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9)
Gecko/20020408
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: privet
Content-Type: multipart/mixed;
1:03:3388: all finished. Total of 0.261694 secs "
where should be in help and e-mail's header:
"Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 3316 invoked by uid 504); 1 Aug 2003 19:00:39 -0000
Received: from [EMAIL PROTECTED] by asha.ucc.uni-sofia.bg by uid 501
with qmail-scanner-1.16
(. spamassassin: 2.44. Clear:.
Processed in 0.279986 secs); 01 Aug 2003 19:00:39 -0000
Received: from cc.ucc.uni-sofia.bg (62.44.109.1)
Received: (qmail 30607 invoked from network); 1 Aug 2003 19:05:23 -0000
Received: from shogo.ucc.uni-sofia.bg (HELO 62.44.109.7) (62.44.109.7)
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 01 Aug 2003 21:50:49 +0000
From: nnn <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9)
Gecko/20020408
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: privet
..."
" Hi all,
I have a RH9 with qmail installed and working. I installed
qmail-scanner 1.16 and sophos
antivirus, all seems to work, except that any message is stopped.
Im working with virtual domains...maybe here is the problem...
Any idea??
This is one example of the qmail-quee.log generated by
test_installation script:
30/06/2003 10:21:49:2655: +++ starting debugging for process 2655 by
uid=0 at 30/06/2003
10:21:49
30/06/2003 10:21:49:2655: setting UID to EUID so subprocesses can
access files generated by
this script
30/06/2003 10:21:49:2655: program name is qmail-scanner-queue.pl,
version 1.16
30/06/2003 10:21:49:2655: incoming pipe connection from via local
process 2655
30/06/2003 10:21:49:2655: w_c: mkdir
/var/spool/qmailscan/linux.es10569613094262655
30/06/2003 10:21:49:2655: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/linux.es10569613094262655
[1056961309.19$
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: illegal breakage found in header name -
potential virus
30/06/2003 10:21:49:2655: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/linux.es10569613094262655 to
/var/spool/qmailscan/wo$
30/06/2003 10:21:49:2655: d_m: starting /usr/local/bin/reformime
-x/var/spool/qmailscan/linux.es10569613094262655/ </var/spool/qmailsca$
30/06/2003 10:21:49:2655: d_m: finished /usr/local/bin/reformime
-x/var/spool/qmailscan/linux.es10569613094262655/ [1056961309.23068]
30/06/2003 10:21:49:2655: d_m: Checking all attachments to see if
they're MS-TNEF
30/06/2003 10:21:49:2655: d_m: is
/var/spool/qmailscan/linux.es10569613094262655/Eicar.com
is a TNEF file?: 256 [1056961309.24348]
30/06/2003 10:21:49:2655: d_m: Manually unpack any zip files as some
virus scanners don't
do zip under Unix!
30/06/2003 10:21:49:2655: d_m: unpacking message took 0.041842 seconds
30/06/2003 10:21:49:2655: unsetting QMAILQUEUE env var
30/06/2003 10:21:49:2655: g_e_h: return-path is "", recips is
[EMAIL PROTECTED]
30/06/2003 10:21:49:2655: from=,subj=, x-qmail-scanner-message-id= via
local process 2655
30/06/2003 10:21:49:2655: ini_sc: start scanning
30/06/2003 10:21:49:2655: p_s: starting scan of directory
"/var/spool/qmailscan/linux.es10569613094262655"...
30/06/2003 10:21:49:2655: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love
Letter
Virus/Trojan'
30/06/2003 10:21:49:2655: p_s: type is a header!
30/06/2003 10:21:49:2655: p_s: checking for objects containing
subject: ILOVEYOU
.
.
.
30/06/2003 10:21:49:2655: ini_sc: recursively scan the directory
/var/spool/qmailscan/linux.es10569613094262655/
30/06/2003 10:21:49:2655: scanloop: starting scan of directory
"/var/spool/qmailscan/linux.es10569613094262655"...
30/06/2003 10:21:49:2655: sweep: starting scan of directory
"/var/spool/qmailscan/linux.es10569613094262655"...
30/06/2003 10:21:49:2655: run /usr/local/bin/sweep -f -all -eec -sc
-nc -ss -nb -archive
/var/spool/qmailscan/linux.es1056961309426265$
30/06/2003 10:21:49:2655: --output of sophos sweep was:
--
30/06/2003 10:21:49:2655: sweep: finished scan of dir
"/var/spool/qmailscan/linux.sirt.es10569613094262655" in 2.658694 secs
30/06/2003 10:21:49:2655: scanloop: finished scan of
"/var/spool/qmailscan/linux.sirt.es10569613094262655"...
30/06/2003 10:21:49:2655: ini_sc: scanning message took 2.674565
seconds
30/06/2003 10:21:49:2655: q_r: fork off child into
/var/qmail/bin/qmail-queue...
30/06/2003 10:21:49:2655: qmail-scanner[2655]: Clear: 2.735976 935 <>
[EMAIL PROTECTED] <> <> <>
30/06/2003 10:21:49:2655: cleanup: /bin/rm -rf
/var/spool/qmailscan/linux.es10569613094262655/
/var/spool/qmailscan/working/new/linux.$
30/06/2003 10:21:52:2655: all finished. Total of 2.825985 secs
From: root linux <[EMAIL PROTECTED]>
Re: qmail-scanner works, but dont block any message
2003-07-02 07:50
Hi Jordi,
I faced the same problem as yours but haven't test
sending an email with virus.
I am using Red Hat Linux 9, qmail-scanner 1.16 and
clamav.
Below is what I received when I sent an email and I
did'nt get the attachment:-
Content-Type: multipart/mixed;
This is a multi-part message in MIME format.
--=====000_Dragon303642860140_=====
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Hello, rootlinux,
2003-06-30
PL969eo/UEsBAhQAFAAAAAgAhF6+LqBczBLKCAAAmg0AAAYAAAAAAAAAAQAgAAAAAAAAAHNuLnR4
dFBLBQYAAAAAAQABADQAAADuCAAAAAA=
--=====000_Dragon303642860140_=====--
Content-Length: 0
...."
UEsDBBQAAAAIAIRevi6gXMwSyggAAJoNAAAGAAAAc24udHh0jVffcxypEX5Xlf6HydPlqq6dBChA
95QCAngIMXAEZh430tpWbGtdknyO89fnG91dHlOxy67dYYDu/n50r788LqePH5dvly/L5cvz8vz+
/HjG/6fn5eF8vltu7+jD+dvT8nxZLm/f3t+el399XrDn6/3D3eXrE779sLxe3l6+PNxh1/3T8u7x
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
