Hello, Looks like everyone's got their hands full with Bagle today, so thanks for taking the time to look at this if you do. I'm running:
Qmail-scanner-1.20st ClamAV 0.65 SA 2.60 A user had a Bagle.J delivered to them today even though it appears that qmail-scanner saw that ClamAV found it ... the qmail-queue.log output is at the end of this email. It really looks like ClamAV found it and Qmail-scanner quarantined it, yet it was delivered. Is there somewhere else I can find more information to find out why this happened? Wed, 03 Mar 2004 13:20:59 -0500:12952: +++ starting debugging for process 12952 by uid=100 at Wed, 03 Mar 2004 13:20:59 -0500 Wed, 03 Mar 2004 13:20:59 -0500:12952: setting UID to EUID so subprocesses can access files generated by this script Wed, 03 Mar 2004 13:20:59 -0500:12952: program name is qmail-scanner-queue.pl, version 1.20st Wed, 03 Mar 2004 13:20:59 -0500:12952: incoming SMTP connection from via SMTP from 24.87.144.179 Wed, 03 Mar 2004 13:20:59 -0500:12952: w_c: mkdir /var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952 Wed, 03 Mar 2004 13:20:59 -0500:12952: w_c: start dumping incoming msg into /var/spool/qmailscan/working/tmp/cygnus.domain.com107833805954912952 [1078338059.24346] Wed, 03 Mar 2004 13:20:59 -0500:12952: w_c: primary Content-Type of multipart/mixed found Wed, 03 Mar 2004 13:20:59 -0500:12952: w_c: found a top-level boundary definition of \-\-\-\-\-\-\-\-abxdnhiqnhdhqxkbikrq Wed, 03 Mar 2004 13:20:59 -0500:12952: w_c: attachment 1: Content-Type of text/plain found Wed, 03 Mar 2004 13:20:59 -0500:12952: found C-T attachment filename information.pif Wed, 03 Mar 2004 13:20:59 -0500:12952: w_c: attachment 2: Content-Type of application/octet-stream found Wed, 03 Mar 2004 13:20:59 -0500:12952: w_c: rename new msg from /var/spool/qmailscan/working/tmp/cygnus.domain.com107833805954912952 to /var/spool/qmailscan/working/new/cygnus.domain.com107833805954912952 [1078338059.95327] Wed, 03 Mar 2004 13:20:59 -0500:12952: d_m: starting /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/cygnus.domain.com107833 805954912952/ </var/spool/qmailscan/working/new/cygnus.domain.com107833805954912952 [1078338059.95377] Wed, 03 Mar 2004 13:20:59 -0500:12952: d_m: finished /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/cygnus.domain.com107833 805954912952/ [1078338059.9627] Wed, 03 Mar 2004 13:20:59 -0500:12952: d_m: Checking all attachments to see if they're MS-TNEF Wed, 03 Mar 2004 13:20:59 -0500:12952: d_m: is /var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952/1078338059.1295 4-0.cygnus.domain.com is a TNEF file?: 256 [1078338059.96551] Wed, 03 Mar 2004 13:20:59 -0500:12952: d_m: is /var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952/Information.pif is a TNEF file?: 256 [1078338059.96832] Wed, 03 Mar 2004 13:20:59 -0500:12952: d_m: unpacking message took 0.014865 seconds Wed, 03 Mar 2004 13:20:59 -0500:12952: unsetting QMAILQUEUE env var Wed, 03 Mar 2004 13:20:59 -0500:12952: g_e_h: return-path is "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]" Wed, 03 Mar 2004 13:20:59 -0500:12952: [EMAIL PROTECTED],subj=E-mail account disabling warning., x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 24.87.144.179 Wed, 03 Mar 2004 13:20:59 -0500:12952: ini_sc: start scanning Wed, 03 Mar 2004 13:20:59 -0500:12952: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952/ Wed, 03 Mar 2004 13:20:59 -0500:12952: scanloop: starting scan of directory "/var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952"... Wed, 03 Mar 2004 13:20:59 -0500:12952: scanloop: scanner=clamscan_scanner,plain_text_msg=0 Wed, 03 Mar 2004 13:20:59 -0500:12952: clamscan: starting scan of directory "/var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952"... Wed, 03 Mar 2004 13:20:59 -0500:12952: run /usr/local/bin/clamdscan -r --disable-summary --max-recursion=10 --max-space =1000000 /var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952 2>&1 **************************************************************************** ******* Wed, 03 Mar 2004 13:20:59 -0500:12952: --output of clamscan was: Wed, 03 Mar 2004 13:20:59 -0500:12952: There be a virus! (Worm.Bagle.J) **************************************************************************** ******* Wed, 03 Mar 2004 13:20:59 -0500:12952: clamscan: finished scan of dir "/var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952" in 0.009725 secs Wed, 03 Mar 2004 13:20:59 -0500:12952: scanloop: finished scan of "/var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952"... Wed, 03 Mar 2004 13:20:59 -0500:12952: ini_sc: scanning message took 0.010196 seconds Wed, 03 Mar 2004 13:20:59 -0500:12952: unsetting TCPREMOTEIP env var Wed, 03 Mar 2004 13:20:59 -0500:12952: e_v_r: quarantine msg to /var/spool/qmailscan/quarantine/new/cygnus.domain.com107833805954912952 Wed, 03 Mar 2004 13:20:59 -0500:12952: i_u_e: called with sender Wed, 03 Mar 2004 13:20:59 -0500:12952: i_u_e: is_local=99 Wed, 03 Mar 2004 13:20:59 -0500:12952: n_a: notify_addr (set to ) called with sender Wed, 03 Mar 2004 13:20:59 -0500:12952: n_a: notify_addr (set to ) called with admin Wed, 03 Mar 2004 13:20:59 -0500:12952: n_a: notify_addr (set to ) called with nmladm Wed, 03 Mar 2004 13:20:59 -0500:12952: i_u_e: called with sender Wed, 03 Mar 2004 13:20:59 -0500:12952: i_u_e: is_local=99 Wed, 03 Mar 2004 13:20:59 -0500:12952: n_a: notify_addr (set to ) called with recips Wed, 03 Mar 2004 13:20:59 -0500:12952: w_v_r: writing quarantine log report of: Wed, 03 Mar 2004 13:20:59 -0500 [EMAIL PROTECTED] [EMAIL PROTECTED] E-mail account disabling warning. Worm.Bagle.J clamscan: 0.65. spamassassin: 2.60. Wed, 03 Mar 2004 13:20:59 -0500:12952: e_v_r: email_quarantine_report took 0.038984 seconds to execute Wed, 03 Mar 2004 13:20:59 -0500:12952: cleanup: /bin/rm -rf /var/spool/qmailscan/tmp/cygnus.domain.com107833805954912952/ /var/spool/qmailscan/working/new/cygnus.domain.com107833805954912952 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
