Re: [qmailtoaster] Re: 554 Your email was rejected because it contains the MBL_303159.UNOFFICIAL virus

Marco Volkert Tue, 07 Aug 2012 22:00:57 -0700


Am 07.08.2012 20:52, schrieb Eric Shubert:

On 08/07/2012 10:05 AM, Eric Shubert wrote:

On 08/07/2012 09:03 AM, Maxwell Smart wrote:


On 08/07/2012 08:59 AM, Marco Volkert wrote:

Hi,

Not sure if this is the right list, but my users getting this error:
554 Your email was rejected because it contains the
MBL_303159.UNOFFICIAL virus
if they try to send an email. Regardless of protocol and format. Some
users told me they are also waiting for external emails but the
senders get a similar error message.

For now, I disabled clamav in /var/qmail/control/simcontrol so my
users are able to send emails.

Is this issue already known? What can I do that the mail server is
working as usual (with clamav)?

simscan 1.4.0
clamav: 0.97.5/m:54/d:15226
spam: 3.3.2



Regards,
Marco Volkert

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]

For additional commands, e-mail:[email protected]

That appears to be coming from your network. ClamAV only scansincoming

e mail.  Your issue appears to be with outgoing e mails being infected.

---------------------------------------------------------------------


Not true, CJ. SpamAssassin scans only incoming, but Clamav scans
everything, including submissions.

Marco, this appears to be a signature that's included in the sane
security additional signatures. You might have some old signature files
hanging around which need to be cleaned up. Please post the following:
# ls -lR /usr/share/clamav

Turns out you're not alone. A few others on the sanesecurity list havereported this FP (False Positive) as well. There's no word on when theMBL maintainers will fix this.

If you're not running the sanesecurity update cron job, you can simplyremove the MBL files from /usr/share/clamav/, then do "qmail-clamrestart".

If you are running sanesecurity (which I'm guessing you are), here'swhat Steve had to say on the sanesecurity list:


<quote>
I've added an ignore sig, which will go to the mirrors shortly.

....Or something like this will do for speed:

printf > ignoresigs.ign2 MBL_303159
copy the ignoresigs.ign2 file to clamav directory and restart clamd

As the MBL ones aren't distributed by me, I can't really do much more
that add an updated .ign2 file

Cheers,

Steve
Sanesecurity
</quote>

In our case, the clamav directory is /usr/share/clamav/.

Update:

Here the requested output (# ls -lR /usr/share/clamav ):
[root@mail etc]# ls -lR /usr/share/clamav
/usr/share/clamav:
total 76248
-rw-r--r-- 1 clamav clamav    58757 Jul 26 07:44 bytecode.cvd
-rw-r--r-- 1 clamav clamav 15958528 Aug  8 05:51 daily.cld
-rw-r--r-- 1 clamav clamav    22549 Feb 15 14:29 honeynet.hdb
-rw-r--r-- 1 clamav clamav  5387305 Aug  7 14:54 junk.ndb
-rw-r--r-- 1 clamav clamav   782793 Aug  8 05:53 jurlbl.ndb
-rw-r--r-- 1 clamav clamav 30750647 Apr 26 14:52 main.cvd
-rw-r--r-- 1 clamav clamav   308831 Aug  8 03:31 mbl.ndb
-rw-r--r-- 1 clamav clamav     1144 Aug  8 05:51 mirrors.dat
-rw-r--r-- 1 clamav clamav  3191958 Aug  7 17:54 phish.ndb
-rw-r--r-- 1 clamav clamav    16217 Aug  8 05:53 rogue.hdb
-rw-r--r-- 1 clamav clamav     9164 Jun 19 10:56 sanesecurity.ftm
-rw-r--r-- 1 clamav clamav  1804346 Aug  6 12:57 scam.ndb
-rw-r--r-- 1 clamav clamav    84548 Jun 29  2010 securiteinfobat.hdb
-rw-r--r-- 1 clamav clamav   300559 May 30 22:28 securiteinfodos.hdb
-rw-r--r-- 1 clamav clamav    83941 Jan 13  2012 securiteinfoelf.hdb
-rw-r--r-- 1 clamav clamav 13153597 Aug  7 11:43 securiteinfo.hdb
-rw-r--r-- 1 clamav clamav  1125474 Aug  7 11:46 securiteinfohtml.hdb
-rw-r--r-- 1 clamav clamav   314920 Feb 10 10:48 securiteinfooffice.hdb
-rw-r--r-- 1 clamav clamav   531426 Jan 13  2012 securiteinfopdf.hdb
-rw-r--r-- 1 clamav clamav    30239 Jan 13  2012 securiteinfosh.hdb
-rw-r--r-- 1 clamav clamav    57676 Mar  2 13:22 spamimg.hdb
drwxr-xr-x 8 clamav clamav     4096 Apr 27 09:25 unofficial-dbs
-rw-r--r-- 1 clamav clamav  2660975 Aug  6 21:45 winnow_malware.hdb
-rw-r--r-- 1 clamav clamav  1241002 Aug  6 19:45 winnow_malware_links.ndb

/usr/share/clamav/unofficial-dbs:
total 24
drwxr-xr-x 2 clamav clamav 4096 Apr 27 09:25 add-dbs
drwxr-xr-x 2 clamav clamav 4096 Aug  8 06:30 configs
drwx------ 2 clamav clamav 4096 Aug  8 06:30 gpg-key
drwxr-xr-x 2 clamav clamav 4096 Apr 27 09:28 mbl-dbs
drwxr-xr-x 2 clamav clamav 4096 Apr 27 09:28 si-dbs
drwxr-xr-x 2 clamav clamav 4096 Aug  8 06:30 ss-dbs

/usr/share/clamav/unofficial-dbs/add-dbs:
total 0

/usr/share/clamav/unofficial-dbs/configs:
total 28
-rw-r--r-- 1 clamav clamav 2227 Aug  8 06:30 current-dbs.txt
-rw-r--r-- 1 clamav clamav    0 Aug  8 06:30 db-changes.txt
-rw-r--r-- 1 clamav clamav   11 Aug  8 03:31 last-mbl-update.txt
-rw-r--r-- 1 clamav clamav   11 Aug  8 05:28 last-si-update.txt
-rw-r--r-- 1 clamav clamav 2227 Aug  8 06:30 previous-dbs.txt
-rw-r--r-- 1 clamav clamav 3166 Aug  8 06:30 purge.txt
-rw-r--r-- 1 clamav clamav   34 Apr 27 09:28 scan-test.txt
-rw-r--r-- 1 clamav clamav  280 Aug  8 06:30 ss-include-dbs.txt

/usr/share/clamav/unofficial-dbs/gpg-key:
total 12
-rw-r--r-- 1 clamav clamav 1762 Feb  7 15:49 publickey.gpg
-rw-r--r-- 1 clamav clamav    0 Apr 27 09:25 secring.gpg
-rw-r--r-- 1 clamav clamav 1205 Apr 27 09:25 ss-keyring.gpg
-rw-r--r-- 1 clamav clamav    0 Apr 27 09:25 ss-keyring.gpg~
-rw-r--r-- 1 clamav clamav 1200 Apr 27 09:25 trustdb.gpg

/usr/share/clamav/unofficial-dbs/mbl-dbs:
total 308
-rw-r--r-- 1 clamav clamav 308831 Aug  8 03:31 mbl.ndb

/usr/share/clamav/unofficial-dbs/si-dbs:
total 15340
-rw-r--r-- 1 clamav clamav    22549 Feb 15 14:29 honeynet.hdb
-rw-r--r-- 1 clamav clamav    84548 Jun 29  2010 securiteinfobat.hdb
-rw-r--r-- 1 clamav clamav   300559 May 30 22:28 securiteinfodos.hdb
-rw-r--r-- 1 clamav clamav    83941 Jan 13  2012 securiteinfoelf.hdb
-rw-r--r-- 1 clamav clamav 13153597 Aug  7 11:43 securiteinfo.hdb
-rw-r--r-- 1 clamav clamav  1125474 Aug  7 11:46 securiteinfohtml.hdb
-rw-r--r-- 1 clamav clamav   314920 Feb 10 10:48 securiteinfooffice.hdb
-rw-r--r-- 1 clamav clamav   531426 Jan 13  2012 securiteinfopdf.hdb
-rw-r--r-- 1 clamav clamav    30239 Jan 13  2012 securiteinfosh.hdb

/usr/share/clamav/unofficial-dbs/ss-dbs:
total 14888
-rw-r--r-- 1 clamav clamav 5387305 Aug  7 14:54 junk.ndb
-rw-r--r-- 1 clamav clamav      72 Aug  7 14:54 junk.ndb.sig
-rw-r--r-- 1 clamav clamav  782793 Aug  8 05:53 jurlbl.ndb
-rw-r--r-- 1 clamav clamav      72 Aug  8 05:53 jurlbl.ndb.sig
-rw-r--r-- 1 clamav clamav 3191958 Aug  7 17:54 phish.ndb
-rw-r--r-- 1 clamav clamav      72 Aug  7 17:54 phish.ndb.sig
-rw-r--r-- 1 clamav clamav   16217 Aug  8 05:53 rogue.hdb
-rw-r--r-- 1 clamav clamav      72 Aug  8 05:53 rogue.hdb.sig
-rw-r--r-- 1 clamav clamav    9164 Jun 19 10:56 sanesecurity.ftm
-rw-r--r-- 1 clamav clamav      72 Jun 19 10:56 sanesecurity.ftm.sig
-rw-r--r-- 1 clamav clamav 1804346 Aug  6 12:57 scam.ndb
-rw-r--r-- 1 clamav clamav      72 Aug  6 12:57 scam.ndb.sig
-rw-r--r-- 1 clamav clamav   57676 Mar  2 13:22 spamimg.hdb
-rw-r--r-- 1 clamav clamav      72 Mar  2 13:22 spamimg.hdb.sig
-rw-r--r-- 1 clamav clamav 2660975 Aug  8 05:45 winnow_malware.hdb
-rw-r--r-- 1 clamav clamav      72 Aug  8 05:45 winnow_malware.hdb.sig
-rw-r--r-- 1 clamav clamav 1241002 Aug  8 05:45 winnow_malware_links.ndb

-rw-r--r-- 1 clamav clamav 72 Aug 8 05:45winnow_malware_links.ndb.sig

[root@mail etc]#

With that version of files it seems to work again. I enabled clamav in/var/qmail/control/simcontrol again and got no error, yet.


Again, thanks for all your help :-)

Cheers,
Marco Volkert

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: 554 Your email was rejected because it contains the MBL_303159.UNOFFICIAL virus

Reply via email to