Re: [Qmail-scanner-general]block password protected?

Eric Weide Mon, 15 Mar 2004 06:41:57 -0800

Here is the relevant portion of the log file.  Thanks.

eric


Mon, 15 Mar 2004 08:12:50 -0600:15058: from=Eric Weide
<[EMAIL PROTECTED]>,subj=Pa
ssword protected virus file,
x-qmail-scanner-message-id=<1079359866.5272.19.came
[EMAIL PROTECTED]> via SMTP from 209.184.62.12
Mon, 15 Mar 2004 08:12:50 -0600:15058: ini_sc: start scanning
Mon, 15 Mar 2004 08:12:50 -0600:15058: ini_sc: recursively scan the
directory /v
ar/spool/qmailscan/tmp/mail.aceks.com107935997047015058/
Mon, 15 Mar 2004 08:12:50 -0600:15058: scanloop: starting scan of
directory "/va
r/spool/qmailscan/tmp/mail.aceks.com107935997047015058"...
Mon, 15 Mar 2004 08:12:50 -0600:15058: scanloop:
scanner=uvscan_scanner,plain_te
xt_msg=0
Mon, 15 Mar 2004 08:12:50 -0600:15058: uvscan: starting scan of
directory "/var/
spool/qmailscan/tmp/mail.aceks.com107935997047015058"...
Mon, 15 Mar 2004 08:12:50 -0600:15058: run /usr/local/bin/uvscan  -v -r
--secure
 --fam --unzip --macro-heuristics 
/var/spool/qmailscan/tmp/mail.aceks.com107935
997047015058    2>&1
Mon, 15 Mar 2004 08:12:50 -0600:15059: w_c: attachment  2: Content-Type
of text/
html found
Mon, 15 Mar 2004 08:12:50 -0600:15058: --output of uvscan was:
Scanning /var/spool/qmailscan/tmp/mail.aceks.com107935997047015058/*
Scanning file
/var/spool/qmailscan/tmp/mail.aceks.com107935997047015058/10793599
70.15061-0.mail.aceks.com
Scanning file
/var/spool/qmailscan/tmp/mail.aceks.com107935997047015058/name.scr
.zip
Scanning file
/var/spool/qmailscan/tmp/mail.aceks.com107935997047015058/name.scr
.zip/NAME1.SCR
/var/spool/qmailscan/tmp/mail.aceks.com107935997047015058/name.scr.zip/NAME1.SCR
        is password-protected.
--
Mon, 15 Mar 2004 08:12:50 -0600:15058: uvscan: finished scan of dir
"/var/spool/
qmailscan/tmp/mail.aceks.com107935997047015058" in 0.17849 secs
Mon, 15 Mar 2004 08:12:50 -0600:15058: scanloop:
scanner=spamassassin,plain_text
_msg=0
Mon, 15 Mar 2004 08:12:50 -0600:15058: spamassassin: don't scan as
RELAYCLIENT i
mplies this was sent by a local user
Mon, 15 Mar 2004 08:12:50 -0600:15058: scanloop: finished scan of
"/var/spool/qm
ailscan/tmp/mail.aceks.com107935997047015058"...
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: starting scan of directory
"/var/spo
ol/qmailscan/tmp/mail.aceks.com107935997047015058"...
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  ' .exe' = '0' = 'Executable
attachm
ent too large'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '.hta' = '0' = 'HTA files
are usual
ly viruses, and are therefore not allowed!'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '.pif' = '0' = 'PIF files
are usual
ly viruses, and are therefore not allowed!'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '.scr' = '0' = 'SCR files
are usual
ly viruses, and are therefore not allowed!'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '.vbs' = '0' = 'VBS files
are usual
ly viruses, and are therefore not allowed!'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '.wsh' = '0' = 'WSH files
are usual
ly viruses, and are therefore not allowed!'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: 
'105:management@|[EMAIL PROTECTED]
ks.com|[EMAIL PROTECTED]' = 'Virus-MAILFROM' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing MAI
LFROM: management@|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '106:E-mail account
disabling warni
ng' = 'Virus-subject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: E-mail account disabling warning
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '107:E-mail account
security warnin
g.' = 'Virus-subject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: E-mail account security warning.
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '108:Email account
utilization warn
ing.' = 'Virus-subject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Email account utilization warning.
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '109:Important notify about
your e-
mail account.' = 'Virus-subject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Important notify about your e-mail account.
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '110:Notify about using the
e-mail
account.' = 'Virus-subject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Notify about using the e-mail account.
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '111:Notify about your
e-mail accou
nt utilization.' = 'Virus-subject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Notify about your e-mail account utilization.
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '112:Warning about your
e-mail acco
unt.' = 'Virus-subject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Warning about your e-mail account.
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '113:Weah, hello! :-\)' =
'Virus-su
bject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Weah, hello! :-\)
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '114:Weeeeee! ;\)\)\)' =
'Virus-sub
ject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Weeeeee! ;\)\)\)
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '115:Hi! :-\)' =
'Virus-subject' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Hi! :-\)
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '116:ello! =\)\)' =
'Virus-subject'
 = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: ello! =\)\)
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '117:Hey, ya! =\)\)' =
'Virus-subje
ct' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Hey, ya! =\)\)
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '118:\^_\^ meay-meay!' =
'Virus-sub
ject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: \^_\^ meay-meay!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '119:\^_\^ meay-meay!' =
'Virus-sub
ject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: \^_\^ meay-meay!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '120:\^_\^ mew-mew \(-:' =
'Virus-s
ubject' = 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: \^_\^ mew-mew \(-:
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '121:Hokki =\)' =
'Virus-subject' =
 'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: Hokki =\)
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '82:ILOVEYOU' =
'Virus-subject' = '
Love Letter Virus/Trojan'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing sub
ject: ILOVEYOU
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '83:message/partial.*' =
'Virus-con
tent-type' = 'Message/partial MIME attachments blocked by policy'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing con
tent-type: message/partial.*
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '86:.{100,}' = 'Virus-date'
= 'MIME
 Header Buffer Overflow'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing dat
e: .{100,}
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '87:.{100,}' =
'Virus-mime-version'
 = 'MIME Header Buffer Overflow '
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing mim
e-version: .{100,}
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  '88:.{100,}' =
'Virus-resent-date'
= 'MIME Header Buffer Overflow'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing res
ent-date: .{100,}
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: 
'91:[EMAIL PROTECTED]|[EMAIL PROTECTED]
oo.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
nge.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
om|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' =
'Virus-to' = 'Ba
dTrans Trojan exploit!'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  type is a header!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  checking for objects
containing to:

[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|WPA
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|eccle
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|XH
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]
yrealbox.com
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'attach.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'attacheddocument.zip' =
'0' = 'Bag
le-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'attachedfile.zip' = '0' =
'Bagle-H
/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'document.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'eicar.com' = '69' = 'EICAR
Test Vi
rus'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'happy99.exe' = '10000' =
'Happy99
Trojan'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'info.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'information.zip' = '0' =
'Bagle-H/
I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'letter.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'message.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'moreinfo.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'msg.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'msginfo.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'readme.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'text.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'textdocument.zip' = '0' =
'Bagle-H
/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'textfile.zip' = '0' =
'Bagle-H/I'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s:  'zipped_files.exe' =
'120495' = 'W3
2/ExploreZip.worm.pak virus'
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: type is a size!
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: skipping auto-generated file
1079359
970.15061-0.mail.aceks.com
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: checking name.scr.zip
against perlsc
anner database...
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: file name.scr.zip is
lowercased to n
ame.scr.zip and has extension .zip
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: compare name.scr.zip (size
250) agai
nst perlscanner database
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: checking name.scr.zip
against perlsc
anner database...
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: file name.scr.zip is
lowercased to n
ame.scr.zip and has extension .zip
Mon, 15 Mar 2004 08:12:50 -0600:15058: p_s: compare name.scr.zip (size
250) agai
nst perlscanner database
Mon, 15 Mar 2004 08:12:50 -0600:15058: ini_sc: scanning message took
0.185064 se
conds
Mon, 15 Mar 2004 08:12:50 -0600:15058: q_r: fork off child into
/var/qmail/bin/q
mail-queue...
Mon, 15 Mar 2004 08:12:50 -0600:15070: q_r: xstatus=0
Mon, 15 Mar 2004 08:12:50 -0600:15059: w_c: rename new msg from
/var/spool/qmail
scan/working/tmp/mail.aceks.com107935997047015059 to
/var/spool/qmailscan/workin
g/new/mail.aceks.com107935997047015059 [1079359970.7532]
Mon, 15 Mar 2004 08:12:50 -0600:15059: d_m: starting
/usr/local/bin/reformime  -
x/var/spool/qmailscan/tmp/mail.aceks.com107935997047015059/
</var/spool/qmailsca
n/working/new/mail.aceks.com107935997047015059 [1079359970.75354]
Mon, 15 Mar 2004 08:12:50 -0600:15059: d_m: finished
/usr/local/bin/reformime  -
x/var/spool/qmailscan/tmp/mail.aceks.com107935997047015059/
[1079359970.76315]
Mon, 15 Mar 2004 08:12:50 -0600:15059: d_m: Checking all attachments to
see if t
hey're MS-TNEF
Mon, 15 Mar 2004 08:12:50 -0600:15058: cleanup: /bin/rm -rf
/var/spool/qmailscan
/tmp/mail.aceks.com107935997047015058/
/var/spool/qmailscan/working/new/mail.ace
ks.com107935997047015058
15/03/2004 08:12:50:15058: all finished. Total of 0.344493 secs
Mon, 15 Mar 2004 08:12:50 -0600:15059: d_m: is
/var/spool/qmailscan/tmp/mail.ace
ks.com107935997047015059/1079359970.15075-0.mail.aceks.com is a TNEF
file?: 256
[1079359970.78014]
Mon, 15 Mar 2004 08:12:50 -0600:15059: d_m: is
/var/spool/qmailscan/tmp/mail.ace
ks.com107935997047015059/1079359970.15075-1.mail.aceks.com is a TNEF
file?: 256
[1079359970.78763]
Mon, 15 Mar 2004 08:12:50 -0600:15059: d_m: Check for zip files...
Mon, 15 Mar 2004 08:12:50 -0600:15059: d_m: unpacking message took
0.034527 seco
nds
Mon, 15 Mar 2004 08:12:50 -0600:15059: unsetting QMAILQUEUE env var




On Mon, 2004-03-15 at 03:00, Jason Haar wrote:
> On Fri, Mar 12, 2004 at 02:19:47PM -0600, Eric Weide wrote:
> > I tried to use the block password protected option, and it didn't seem
> > to work for some reason.  I can still send emails containing password
> > protected zip files with viruses.  Do I need --unzip 1 to use this
> 
> Well your config looks correct, so all I can think of is that your "unzip"
> program doesn't support password-protection.
> 
> What does qmail-queue.log say?
-- 
**************************************
******** Eric Weide - A+,MCP *********
* Advantage Computer Enterprises Inc.*
*******  http://www.aceks.com ********
***  Registered Linux User #110542 ***
**************************************



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Re: [Qmail-scanner-general]block password protected?

Reply via email to