On Sun, 2003-10-12 at 11:28, Jason Staudenmayer wrote:
> What's the output of "/var/qmail/bin/qmail-scanner-queue.pl -g"
> And let's see the qmail-quarentine.txt file
Here are the outputs:
# Sample of well-known viruses that perlscan_scanner can use
#
# This is case-insensitive, and TAB-delimited.
#
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# Format: three columns
#
# filename<TAB>size (in bytes)<TAB>Description of virus/whatever
#
# OR:
#
# string<TAB>Header<TAB>Description of virus/whatever
#
# [this one allows you to match on (e.g.) Subject line.
#
# NOTE 1: This is the crudest "virus scanning" you can do - we are
# arbitrarily deciding that particular filenames of certain sizes
contain
# viruses - when they may not. However this can be useful for the times
# when a new virus is discovered and your scanner cannot detect it
(yet).
#
# NOTE 2: This is only good for picking up stand-alone viruses like the
# following. Macro viruses are impossible to detect with this method as
# they infect users docs.
#
# NOTE 3: Wildcards are supported. This system can also be used to deny
# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other
# wildcard type is supported. Be very careful with this feature. With
# wildcards, the size field is ignored (i.e. any size matches).
#
# .exe 0 Executable attachment too large
#
# That would ban .EXE files from your site (but would
# still allow .zip files...
#
# .mp3 0 MP3 attachments disallowed
#
# ...would stop any Email containing MP3 attachments passing.
#
# NOTE 4: No you can't use this to ban any file (i.e. *.*) that's over
# a certain size - you should
# "echo 10000000 > /var/qmail/control/databytes"
# to set the maximum SMTP message size to 10Mb.
#
# NOTE 5: The second option allows you to match on header. This would
allow
# you to block Email viruses when you don't know anything else other
than
# there's a wierd Subject line (or From line, or X-Spanska: header,
...).
# Note that it's a case-sensitive, REGEX string, and the system will
# automatically surround it with ^ and $ before matching. i.e. if you
# want wildcards, explicitly put them in...
#
# The string _must_be_ "Virus-" followed by the header you wish to match
# on - followed by a colon (:).
#
# e.g.
#
# Pickles.*Breakfast Virus-Subject: Fake Example Pickles virus
#
# will match "Subject: Pickles for Breakfast" - and
# not "Subject: Pickles - where did you go?"
#
#
# NOTE 6: Similar to the headers option, you can match on the mail
ENVELOPE
# headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to
# Virus-<header>, except that the header names are MAILFROM and RCPTTO
only.
#
# e.g.
#
# [EMAIL PROTECTED] Virus-MAILFROM: Bad mail envelope not allowed here!
#
# NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to
match
# actions against the IP address of the SMTP client.
#
EICAR.COM 69 EICAR Test Virus
Happy99.exe 10000 Happy99 Trojan
zipped_files.exe 120495 W32/ExploreZip.worm.pak virus
ILOVEYOU Virus-Subject: Love Letter Virus/Trojan
message/partial.* Virus-Content-Type: Message/partial MIME attachments
blocked by policy
#The following matches Date: headers that are over 100 chars in length
#these are impossible in the wild
.{100,} Virus-Date: MIME Header Buffer Overflow
.{100,} Virus-Mime-Version: MIME Header Buffer Overflow
.{100,} Virus-Resent-Date: MIME Header Buffer Overflow
#
#Let's stop that nasty BadTrans virus from uploading your keystrokes...
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Virus-To: BadTrans Trojan exploit!
#
# These are examples of prudent defaults to set for most sites.
# Commented out by default
.vbs 0 VBS files not allowed per Company security policy
.lnk 0 LNK files not allowed per Company security policy
.scr 0 SCR files not allowed per Company security policy
.wsh 0 WSH files not allowed per Company security policy
.hta 0 HTA files not allowed per Company security policy
.pif 0 PIF files not allowed per Company security policy
.exe 0 EXE files not allowed
.mp3 0 MP# files not allowed
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# EOF
and
perlscanner: generate new DB file from
/var/spool/qmailscan/quarantine-attachments.txt
perlscanner: total of 17 entries.
Thanks,
>
>
> -----Original Message-----
> From: russ [mailto:[EMAIL PROTECTED]
> Sent: Sunday, October 12, 2003 10:57 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Qmail-scanner-general]Will not use quarantine-attachments.db
>
>
> On Sun, 2003-10-12 at 10:34, Jason Staudenmayer wrote:
> > Let's see your debug log.
> >
> > -----Original Message-----
> > From: russ [mailto:[EMAIL PROTECTED]
> > Sent: Sunday, October 12, 2003 10:28 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Qmail-scanner-general]Will not use quarantine-attachments.db
> >
> >
> > qmail-scanner seems to be working correctly, except that no matter what
> > I do to "quarantine-attachments.db" (ie. changing rights and owners
> > etc.) all rules in that list a ignored. Can someone please point me in
> > the right direction to fix this. PLEASE.
>
> Here is part of debug log, .exe files are set to be rejected, but they
> pass right through. When I run /var/qmail/bin/qmail-scanner-queue.pl
> -r it reads the rules just fine.
>
>
> uid=88 at Sun, 12 Oct 2003 00:19:54 -0400
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: setting UID to EUID so
> subprocesses can access files generated by this script
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: program name is
> qmail-scanner-queue.pl, version 1.20rc3
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: incoming pipe connection from via
> local process 22878
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: w_c: mkdir
> /var/spool/qmailscan/studmail.essextech.org106593239445622878
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: w_c: start dumping incoming msg
> into
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593239445622878
> [1065932394.6983]
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: w_c: primary Content-Type of
> multipart/mixed found
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: w_c: found a top-level boundary
> definition of =_0_22874_1065932394
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: w_c: attachment 1: Content-Type
> of text/plain found
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: found C-T attachment filename
> flashcom.exe
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: w_c: attachment 2: Content-Type
> of application/octet-stream found
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593239445622878 to
> /var/spool/qmailscan/working/new/studmail.essextech.org106593239445622878
> [1065932394.76823]
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: d_m: starting /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593239445622878/
> </var/spool/qmailscan/working/new/studmail.essextech.org106593239445622878
> [1065932394.76891]
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: d_m: finished /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593239445622878/
> [1065932394.81511]
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: d_m: Checking all attachments to
> see if they're MS-TNEF
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593239445622878/1065932394.228
> 80-0.studmail.essextech.org is a TNEF file?: 256 [1065932394.82294]
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593239445622878/FLASHCOM.EXE
> is a TNEF file?: 256 [1065932394.83063]
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: d_m: unpacking message took
> 0.062109 seconds
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: unsetting QMAILQUEUE env var
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: g_e_h: no sender and no recips.
>
> Sun, 12 Oct 2003 00:19:54 -0400:22878: cleanup: /bin/rm -rf
> /var/spool/qmailscan/studmail.essextech.org106593239445622878/
> /var/spool/qmailscan/working/new/studmail.essextech.org106593239445622878
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: +++ starting debugging for
> process 22906 by uid=88 at Sun, 12 Oct 2003 00:28:36 -0400
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: setting UID to EUID so
> subprocesses can access files generated by this script
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: program name is
> qmail-scanner-queue.pl, version 1.20rc3
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: incoming pipe connection from via
> local process 22906
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: w_c: mkdir
> /var/spool/qmailscan/studmail.essextech.org106593291645622906
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: w_c: start dumping incoming msg
> into
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593291645622906
> [1065932916.61332]
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: w_c: primary Content-Type of
> multipart/mixed found
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: w_c: found a top-level boundary
> definition of =_0_22902_1065932916
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: w_c: attachment 1: Content-Type
> of text/plain found
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: found C-T attachment filename
> flashcom.exe
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: w_c: attachment 2: Content-Type
> of application/octet-stream found
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593291645622906 to
> /var/spool/qmailscan/working/new/studmail.essextech.org106593291645622906
> [1065932916.68368]
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: d_m: starting /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593291645622906/
> </var/spool/qmailscan/working/new/studmail.essextech.org106593291645622906
> [1065932916.68433]
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: d_m: finished /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593291645622906/
> [1065932916.73092]
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: d_m: Checking all attachments to
> see if they're MS-TNEF
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593291645622906/1065932916.229
> 08-0.studmail.essextech.org is a TNEF file?: 256 [1065932916.73869]
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593291645622906/FLASHCOM.EXE
> is a TNEF file?: 256 [1065932916.74597]
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: d_m: unpacking message took
> 0.062042 seconds
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: unsetting QMAILQUEUE env var
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: g_e_h: no sender and no recips.
>
> Sun, 12 Oct 2003 00:28:36 -0400:22906: cleanup: /bin/rm -rf
> /var/spool/qmailscan/studmail.essextech.org106593291645622906/
> /var/spool/qmailscan/working/new/studmail.essextech.org106593291645622906
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: +++ starting debugging for
> process 22941 by uid=88 at Sun, 12 Oct 2003 00:42:19 -0400
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: setting UID to EUID so
> subprocesses can access files generated by this script
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: program name is
> qmail-scanner-queue.pl, version 1.20rc3
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: incoming pipe connection from via
> local process 22941
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: w_c: mkdir
> /var/spool/qmailscan/studmail.essextech.org106593373945622941
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: w_c: start dumping incoming msg
> into
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593373945622941
> [1065933739.09837]
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: w_c: primary Content-Type of
> multipart/mixed found
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: w_c: found a top-level boundary
> definition of =_0_22937_1065933738
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: w_c: attachment 1: Content-Type
> of text/plain found
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: found C-T attachment filename
> flashcom.exe
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: w_c: attachment 2: Content-Type
> of application/octet-stream found
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593373945622941 to
> /var/spool/qmailscan/working/new/studmail.essextech.org106593373945622941
> [1065933739.16798]
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: d_m: starting /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593373945622941/
> </var/spool/qmailscan/working/new/studmail.essextech.org106593373945622941
> [1065933739.16866]
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: d_m: finished /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593373945622941/
> [1065933739.21535]
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: d_m: Checking all attachments to
> see if they're MS-TNEF
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593373945622941/1065933739.229
> 43-0.studmail.essextech.org is a TNEF file?: 256 [1065933739.22332]
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593373945622941/FLASHCOM.EXE
> is a TNEF file?: 256 [1065933739.23054]
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: d_m: unpacking message took
> 0.062266 seconds
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: unsetting QMAILQUEUE env var
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: g_e_h: no sender and no recips.
>
> Sun, 12 Oct 2003 00:42:19 -0400:22941: cleanup: /bin/rm -rf
> /var/spool/qmailscan/studmail.essextech.org106593373945622941/
> /var/spool/qmailscan/working/new/studmail.essextech.org106593373945622941
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: +++ starting debugging for
> process 22963 by uid=88 at Sun, 12 Oct 2003 00:46:37 -0400
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: setting UID to EUID so
> subprocesses can access files generated by this script
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: program name is
> qmail-scanner-queue.pl, version 1.20rc3
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: incoming pipe connection from via
> local process 22963
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: w_c: mkdir
> /var/spool/qmailscan/studmail.essextech.org106593399745622963
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: w_c: start dumping incoming msg
> into
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593399745622963
> [1065933997.61003]
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: w_c: primary Content-Type of
> multipart/mixed found
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: w_c: found a top-level boundary
> definition of =_0_22959_1065933997
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: w_c: attachment 1: Content-Type
> of text/plain found
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: found C-T attachment filename
> flashcom.exe
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: w_c: attachment 2: Content-Type
> of application/octet-stream found
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/studmail.essextech.org106593399745622963 to
> /var/spool/qmailscan/working/new/studmail.essextech.org106593399745622963
> [1065933997.68061]
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: d_m: starting /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593399745622963/
> </var/spool/qmailscan/working/new/studmail.essextech.org106593399745622963
> [1065933997.68125]
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: d_m: finished /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org106593399745622963/
> [1065933997.72819]
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: d_m: Checking all attachments to
> see if they're MS-TNEF
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593399745622963/1065933997.229
> 65-0.studmail.essextech.org is a TNEF file?: 256 [1065933997.73611]
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: d_m: is
> /var/spool/qmailscan/studmail.essextech.org106593399745622963/FLASHCOM.EXE
> is a TNEF file?: 256 [1065933997.74338]
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: d_m: unpacking message took
> 0.062531 seconds
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: unsetting QMAILQUEUE env var
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: g_e_h: no sender and no recips.
>
> Sun, 12 Oct 2003 00:46:37 -0400:22963: cleanup: /bin/rm -rf
> /var/spool/qmailscan/studmail.essextech.org106593399745622963/
> /var/spool/qmailscan/working/new/studmail.essextech.org106593399745622963
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: +++ starting debugging for process
> 825 by uid=88 at Sun, 12 Oct 2003 01:02:54 -0400
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: setting UID to EUID so subprocesses
> can access files generated by this script
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: program name is
> qmail-scanner-queue.pl, version 1.20rc3
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: incoming pipe connection from via
> local process 825
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: w_c: mkdir
> /var/spool/qmailscan/studmail.essextech.org1065934974456825
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: w_c: start dumping incoming msg
> into
> /var/spool/qmailscan/working/tmp/studmail.essextech.org1065934974456825
> [1065934974.26459]
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: w_c: primary Content-Type of
> multipart/mixed found
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: w_c: found a top-level boundary
> definition of =_0_821_1065934972
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: w_c: attachment 1: Content-Type of
> text/plain found
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: found C-T attachment filename
> flashcom.exe
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: w_c: attachment 2: Content-Type of
> application/octet-stream found
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/studmail.essextech.org1065934974456825
> to
> /var/spool/qmailscan/working/new/studmail.essextech.org1065934974456825
> [1065934974.34216]
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: d_m: starting /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org1065934974456825/
> </var/spool/qmailscan/working/new/studmail.essextech.org1065934974456825
> [1065934974.3428]
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: d_m: finished /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org1065934974456825/
> [1065934974.42108]
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: d_m: Checking all attachments to
> see if they're MS-TNEF
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: d_m: is
> /var/spool/qmailscan/studmail.essextech.org1065934974456825/1065934974.827-0
> .studmail.essextech.org is a TNEF file?: 256 [1065934974.4575]
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: d_m: is
> /var/spool/qmailscan/studmail.essextech.org1065934974456825/FLASHCOM.EXE
> is a TNEF file?: 256 [1065934974.46536]
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: d_m: unpacking message took
> 0.122948 seconds
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: unsetting QMAILQUEUE env var
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: g_e_h: no sender and no recips.
>
> Sun, 12 Oct 2003 01:02:54 -0400:825: cleanup: /bin/rm -rf
> /var/spool/qmailscan/studmail.essextech.org1065934974456825/
> /var/spool/qmailscan/working/new/studmail.essextech.org1065934974456825
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: +++ starting debugging for process
> 883 by uid=88 at Sun, 12 Oct 2003 01:14:08 -0400
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: setting UID to EUID so subprocesses
> can access files generated by this script
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: program name is
> qmail-scanner-queue.pl, version 1.20rc3
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: incoming pipe connection from via
> local process 883
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: w_c: mkdir
> /var/spool/qmailscan/studmail.essextech.org1065935648456883
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: w_c: start dumping incoming msg
> into
> /var/spool/qmailscan/working/tmp/studmail.essextech.org1065935648456883
> [1065935648.28141]
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: w_c: primary Content-Type of
> multipart/mixed found
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: w_c: found a top-level boundary
> definition of =_0_879_1065935647
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: w_c: attachment 1: Content-Type of
> text/plain found
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: found C-T attachment filename
> flashcom.exe
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: w_c: attachment 2: Content-Type of
> application/octet-stream found
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/studmail.essextech.org1065935648456883
> to
> /var/spool/qmailscan/working/new/studmail.essextech.org1065935648456883
> [1065935648.35128]
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: d_m: starting /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org1065935648456883/
> </var/spool/qmailscan/working/new/studmail.essextech.org1065935648456883
> [1065935648.35192]
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: d_m: finished /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org1065935648456883/
> [1065935648.39819]
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: d_m: Checking all attachments to
> see if they're MS-TNEF
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: d_m: is
> /var/spool/qmailscan/studmail.essextech.org1065935648456883/1065935648.885-0
> .studmail.essextech.org is a TNEF file?: 256 [1065935648.4062]
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: d_m: is
> /var/spool/qmailscan/studmail.essextech.org1065935648456883/FLASHCOM.EXE
> is a TNEF file?: 256 [1065935648.41393]
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: d_m: unpacking message took
> 0.062403 seconds
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: unsetting QMAILQUEUE env var
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: g_e_h: no sender and no recips.
>
> Sun, 12 Oct 2003 01:14:08 -0400:883: cleanup: /bin/rm -rf
> /var/spool/qmailscan/studmail.essextech.org1065935648456883/
> /var/spool/qmailscan/working/new/studmail.essextech.org1065935648456883
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: +++ starting debugging for process
> 1282 by uid=0 at Sun, 12 Oct 2003 02:08:27 -0400
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: setting UID to EUID so
> subprocesses can access files generated by this script
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: program name is
> qmail-scanner-queue.pl, version 1.20rc3
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: incoming pipe connection from via
> local process 1282
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: w_c: mkdir
> /var/spool/qmailscan/studmail.essextech.org10659389074561282
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: w_c: start dumping incoming msg
> into
> /var/spool/qmailscan/working/tmp/studmail.essextech.org10659389074561282
> [1065938907.99297]
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: w_c: disallowed breakage found in
> header name (
>
> ) - potential virus
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/studmail.essextech.org10659389074561282
> to
> /var/spool/qmailscan/working/new/studmail.essextech.org10659389074561282
> [1065938907.99762]
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: d_m: starting /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org10659389074561282/
> </var/spool/qmailscan/working/new/studmail.essextech.org10659389074561282
> [1065938907.99848]
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: d_m: finished /usr/bin/reformime
> -x/var/spool/qmailscan/studmail.essextech.org10659389074561282/
> [1065938908.01408]
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: d_m: Checking all attachments to
> see if they're MS-TNEF
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: d_m: is
> /var/spool/qmailscan/studmail.essextech.org10659389074561282/1065938908.1284
> -0.studmail.essextech.org is a TNEF file?: 256 [1065938908.02251]
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: d_m: unpacking message took
> 0.024462 seconds
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: unsetting QMAILQUEUE env var
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: g_e_h: no sender and no recips.
>
> Sun, 12 Oct 2003 02:08:27 -0400:1282: cleanup: /bin/rm -rf
> /var/spool/qmailscan/studmail.essextech.org10659389074561282/
> /var/spool/qmailscan/working/new/studmail.essextech.org10659389074561282
--
Russel Oliver
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
