[qmailtoaster] Re: 554 Your email was rejected because it contains the MBL_303159.UNOFFICIAL virus

[Eric Shubert]

On 08/07/2012 10:05 AM, Eric Shubert wrote:
On 08/07/2012 09:03 AM, Maxwell Smart wrote:

On 08/07/2012 08:59 AM, Marco Volkert wrote:
Hi,

Not sure if this is the right list, but my users getting this error:
554 Your email was rejected because it contains the
MBL_303159.UNOFFICIAL virus
if they try to send an email. Regardless of protocol and format. Some
users told me they are also waiting for external emails but the
senders get a similar error message.

For now, I disabled clamav in /var/qmail/control/simcontrol so my
users are able to send emails.

Is this issue already known? What can I do that the mail server is
working as usual (with clamav)?

simscan 1.4.0
clamav: 0.97.5/m:54/d:15226
spam: 3.3.2



Regards,
Marco Volkert

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

That appears to be coming from your network.  ClamAV only scans incoming
e mail.  Your issue appears to be with outgoing e mails being infected.

---------------------------------------------------------------------

Not true, CJ. SpamAssassin scans only incoming, but Clamav scans
everything, including submissions.

Marco, this appears to be a signature that's included in the sane
security additional signatures. You might have some old signature files
hanging around which need to be cleaned up. Please post the following:
# ls -lR /usr/share/clamav


Turns out you're not alone. A few others on the sanesecurity list have 
reported this FP (False Positive) as well. There's no word on when the 
MBL maintainers will fix this.

If you're not running the sanesecurity update cron job, you can simply 
remove the MBL files from /usr/share/clamav/, then do "qmail-clam restart".

If you are running sanesecurity (which I'm guessing you are), here's 
what Steve had to say on the sanesecurity list:

<quote>
I've added an ignore sig, which will go to the mirrors shortly.

....Or something like this will do for speed:

printf > ignoresigs.ign2 MBL_303159
copy the ignoresigs.ign2 file to clamav directory and restart clamd

As the MBL ones aren't distributed by me, I can't really do much more
that add an updated .ign2 file

Cheers,

Steve
Sanesecurity
</quote>

In our case, the clamav directory is /usr/share/clamav/.

--
-Eric 'shubes'




---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com