27/08/2003 11:44:57:14859: p_s: skipping auto-generated file
1061999098.14869-0.mail.highspd.net
27/08/2003 11:44:57:14859: p_s: skipping auto-generated file 1061999098.14869-1.mail.highspd.net
27/08/2003 11:44:57:14859: p_s: skipping auto-generated file 1061999098.14869-2.mail.highspd.net
27/08/2003 11:44:57:14859: p_s: checking movie0045.pif against perlscanner database...
27/08/2003 11:44:57:14859: p_s: file movie0045.pif is lowercased to movie0045.pif and has extension .pif
27/08/2003 11:44:57:14859: p_s: compare movie0045.pif against perlscanner database
27/08/2003 11:44:57:14859: p_s: finished scan of dir "/var/spool/qmailscan/mail.highspd.net106199909751314859" in 0.003628 secs
27/08/2003 11:44:57:14859: ini_sc: recursively scan the directory /var/spool/qmailscan/mail.highspd.net106199909751314859/
27/08/2003 11:44:57:14859: scanloop: starting scan of directory "/var/spool/qmailscan/mail.highspd.net106199909751314859"...
27/08/2003 11:44:57:14859: trophie: starting scan of directory "/var/spool/qmailscan/mail.highspd.net106199909751314859"...
27/08/2003 11:44:57:14859: There be a virus! (WORM_SOBIG.F.DAM)
27/08/2003 11:44:57:14859: trophie: finished scan of dir "/var/spool/qmailscan/mail.highspd.net106199909751314859" in 0.00697 secs
27/08/2003 11:44:57:14859: scanloop: finished scan of "/var/spool/qmailscan/mail.highspd.net106199909751314859"...
27/08/2003 11:44:57:14859: ini_sc: scanning message took 0.011125 seconds
27/08/2003 11:44:57:14859: unsetting TCPREMOTEIP env var
27/08/2003 11:44:57:14859: e_v_r: quarantine msg to /var/spool/qmailscan/quarantine/new/mail.highspd.net106199909751314859
27/08/2003 11:44:57:14859: v_v_t_r: called with WORM_SOBIG.F.DAM
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain klez?
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain bugbear?
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain hybris?
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain yaha?
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain braid?
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain nimda?
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain tanatos?
27/08/2003 11:44:57:14859: v_v_t_r: does WORM_SOBIG.F.DAM contain sobig?
27/08/2003 11:44:57:14859: v_v_t_r: yes it does! - so don't notify the sender
27/08/2003 11:44:57:14859: n_a: notify_addr (set to sender,nmladm) called with admin
27/08/2003 11:44:57:14859: n_a: notify_addr (set to sender,nmladm) called with nmladm
27/08/2003 11:44:57:14859: i_u_e: called with sender
27/08/2003 11:44:57:14859: i_u_e: sender is a mailing-list
27/08/2003 11:44:57:14859: i_u_e: called with sender
27/08/2003 11:44:57:14859: i_u_e: sender is a mailing-list
27/08/2003 11:44:57:14859: n_a: notify_addr (set to sender,nmladm) called with recips
27/08/2003 11:44:57:14859: w_v_r: writing quarantine log report of:
So if it's catching it here what's the big deal? Am I missing something?
Thanks,
Ed McLain
On Wed, 2003-08-27 at 08:37, Salvatore Toribio wrote:
There is another way to deal with Sobig virus blocking the attached pif file without sending a notify to the forged sender. As you could read at <http://www.sophos.com/virusinfo/analyses/w32sobigf.html> Sobig usually send an attachment with one of these names: movie0045.pif wicked_scr.scr application.pif document_9446.pif details.pif your_details.pif thank_you.pif document_all.pif your_document.pif So you could add in your quarantine-attachments.txt file these lines before the line that blocks pif files: movie0045.pif 0 Sobig Virus wicked_scr.scr 0 Sobig Virus application.pif 0 Sobig Virus document_9446.pif 0 Sobig Virus details.pif 0 Sobig Virus your_details.pif 0 Sobig Virus thank_you.pif 0 Sobig Virus document_all.pif 0 Sobig Virus your_document.pif 0 Sobig Virus I've test it sending an innocuous file named "movie0045.pif" and here is the log: ......... 26/08/2003 15:50:49:24914: p_s: checking movie0045.pif against perlscanner database... 26/08/2003 15:50:49:24914: p_s: file movie0045.pif is lowercased to movie0045.pif and has extension .pif 26/08/2003 15:50:49:24914: p_s: compare movie0045.pif against perlscanner database 26/08/2003 15:50:49:24914: p_s: Quarantine movie0045.pif! (Sobig Virus) .......... 26/08/2003 15:50:49:24914: v_v_t_r: called with Sobig Virus 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain klez? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain bugbear? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain hybris? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain yaha? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain braid? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain nimda? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain tanatos? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain sobig? 26/08/2003 15:50:49:24914: v_v_t_r: yes it does! - so don't notify the sender 26/08/2003 15:50:49:24914: n_a: notify_addr (set to sender,admin) called with admin ........... And obviously the sender (me) wasn't notified. Regards Salvatore PS: The list didn't accept this messages from me yesterday, maybe the list was using "relays.osirusoft.com" as me... Failed to deliver your message to [EMAIL PROTECTED]: SMTP: Address rejected by host Host 'mail.sourceforge.net' says: 451 Talk to your mail administrator for details. In the other hand I can't talk to my mail administrator, because I am the mail administrator. ;-) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
-- Thanks, Ed McLain Sr. Network Admin High Speed Solutions Phone: 205.969.0075 x 104 Email: [EMAIL PROTECTED] |
