folks, ive had qmail-scanner 1.20 running on my freebsd box with clamav-0.70 and
recently, ive
been getting emails with viri that clamav knows about getting through as follows:
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="bill.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="bill.exe"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUAAEwBAwAAAAAA
AAAAAAAAAADgAA8BCwEAAAAEAAAAcgAAAAAAAAAgAQAAEAAAACAAAAAAQAAAEAAAAAIAAAQA
(thats not the whole thing of course)
but If I export that email to a file and clamscan it with -m
clamav reports it a somefool.P.
but when it comes through my mail server, QS never catches it..
heres how my QS clamscan is configured.
my $clamscan_binary='/usr/local/bin/clamscan';
my $clamscan_options="-r -m --unzip --unrar --unzoo --lha --disable-summary
--max-recursion=10
--max-space=100000";
and heres the debug..
Fri, 23 Apr 2004 21:43:31 -0400:93702: +++ starting debugging for process 93702 by
uid=82 at Fri,
23 Apr 2004 21:43:31 -0400
Fri, 23 Apr 2004 21:43:31 -0400:93702: setting UID to EUID so subprocesses can access
files
generated by this script
Fri, 23 Apr 2004 21:43:31 -0400:93702: program name is qmail-scanner-queue.pl, version
1.20
Fri, 23 Apr 2004 21:43:31 -0400:93702: incoming SMTP connection from via SMTP from
127.0.0.1
Fri, 23 Apr 2004 21:43:31 -0400:93702: w_c: mkdir
/var/spool/qmailscan/tmp/beast108277101146193702
Fri, 23 Apr 2004 21:43:31 -0400:93702: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/beast108277101146193702 [1082771011.52097]
Fri, 23 Apr 2004 21:43:31 -0400:93702: w_c: primary Content-Type of text/plain found
Fri, 23 Apr 2004 21:43:31 -0400:93702: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/beast108277101146193702 to
/var/spool/qmailscan/working/new/beast108277101146193702
[1082771011.58073]
Fri, 23 Apr 2004 21:43:31 -0400:93702: d_m: starting /usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/beast108277101146193702/
</var/spool/qmailscan/working/new/beast1082771011
46193702 [1082771011.58214]
Fri, 23 Apr 2004 21:43:31 -0400:93702: d_m: finished /usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/beast108277101146193702/ [1082771011.62233]
Fri, 23 Apr 2004 21:43:31 -0400:93702: d_m: Checking all attachments to see if they're
MS-TNEF
Fri, 23 Apr 2004 21:43:31 -0400:93702: d_m: is
/var/spool/qmailscan/tmp/beast108277101146193702/1082771011.93704-0.beast is a TNEF
file?: 256
[1082771011.68289]
Fri, 23 Apr 2004 21:43:31 -0400:93702: d_m: Manually unpack any zip files as some
virus scanners
don't do zip under Unix!
Fri, 23 Apr 2004 21:43:31 -0400:93702: d_m: unpacking message took 0.102019 seconds
Fri, 23 Apr 2004 21:43:31 -0400:93702: unsetting QMAILQUEUE env var
Fri, 23 Apr 2004 21:43:31 -0400:93702: g_e_h: return-path is "[EMAIL PROTECTED]",
recips is
"[EMAIL PROTECTED]"
Fri, 23 Apr 2004 21:43:31 -0400:93702: from=Charlie Root
<[EMAIL PROTECTED]>,[EMAIL PROTECTED]: Mail delivery failed: returning
message to sender], x-qmai
l-scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 127.0.0.1
Fri, 23 Apr 2004 21:43:31 -0400:93702: This is a PLAIN text message (because it's
either not mime,
or is text/plain), skip virus scanners - but not SA
Fri, 23 Apr 2004 21:43:31 -0400:93702: ini_sc: start scanning
Fri, 23 Apr 2004 21:43:31 -0400:93702: ini_sc: recursively scan the directory
/var/spool/qmailscan/tmp/beast108277101146193702/
Fri, 23 Apr 2004 21:43:31 -0400:93702: scanloop: starting scan of directory
"/var/spool/qmailscan/tmp/beast108277101146193702"...
Fri, 23 Apr 2004 21:43:31 -0400:93702: scanloop:
scanner=clamscan_scanner,plain_text_msg=1
Fri, 23 Apr 2004 21:43:31 -0400:93702: scanloop: finished scan of
"/var/spool/qmailscan/tmp/beast108277101146193702"...
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: starting scan of directory
"/var/spool/qmailscan/tmp/beast108277101146193702"...
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love
Letter
Virus/Trojan'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a header!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: checking for objects containing subject:
ILOVEYOU
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: '82:message/partial.*' =
'Virus-content-type' =
'Message/partial MIME attachments blocked by policy'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a header!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: checking for objects containing
content-type:
message/partial.*
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: '85:.{100,}' = 'Virus-date' = 'MIME
Header Buffer
Overflow'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a header!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: checking for objects containing date:
.{100,}
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: '86:.{100,}' = 'Virus-mime-version' =
'MIME Header
Buffer Overflow '
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a header!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: checking for objects containing
mime-version: .{100,}
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: '87:.{100,}' = 'Virus-resent-date' =
'MIME Header
Buffer Overflow'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a header!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: checking for objects containing
resent-date: .{100,}
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|m
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
t|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a header!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: checking for objects containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|smr@
eurosport.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|tsnlq
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a size!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a size!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: 'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: type is a size!
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: skipping auto-generated file
1082771011.93704-0.beast
Fri, 23 Apr 2004 21:43:31 -0400:93702: p_s: finished scan of dir
"/var/spool/qmailscan/tmp/beast108277101146193702" in 0.032841 secs
Fri, 23 Apr 2004 21:43:31 -0400:93702: ini_sc: scanning message took 0.033994 seconds
Fri, 23 Apr 2004 21:43:31 -0400:93702: q_r: fork off child into
/var/qmail/bin/qmail-queue...
Fri, 23 Apr 2004 21:43:31 -0400:93707: q_r: xstatus=0
Fri, 23 Apr 2004 21:43:31 -0400:93702: cleanup: /bin/rm -rf
/var/spool/qmailscan/tmp/beast108277101146193702/
/var/spool/qmailscan/working/new/beast108277101146193702
23/04/2004 21:43:31:93702: all finished. Total of 0.352052 secs
I upgraded to QA 1.22 but that didnt seem to help:
Fri, 23 Apr 2004 22:08:08 EDT:97814: +++ starting debugging for process 97814 by uid=82
Fri, 23 Apr 2004 22:08:08 EDT:97814: setting UID to EUID so subprocesses can access
files
generated by this script
Fri, 23 Apr 2004 22:08:08 EDT:97814: program name is qmail-scanner-queue.pl, version
1.22
Fri, 23 Apr 2004 22:08:08 EDT:97814: incoming SMTP connection from via SMTP from
127.0.0.1
Fri, 23 Apr 2004 22:08:08 EDT:97814: w_c: mkdir
/var/spool/qmailscan/tmp/beast108277248847997814
Fri, 23 Apr 2004 22:08:08 EDT:97814: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/beast108277248847997814 [1082772488.69036]
Fri, 23 Apr 2004 22:08:08 EDT:97814: w_c: primary Content-Type of text/plain found
Fri, 23 Apr 2004 22:08:08 EDT:97814: c_a_g: found hidden MIME attachment
Fri, 23 Apr 2004 22:08:08 EDT:97814: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/beast108277248847997814 to
/var/spool/qmailscan/working/new/beast108277248847997814 [
1082772488.79594]
Fri, 23 Apr 2004 22:08:08 EDT:97814: d_m: starting /usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/beast108277248847997814/
</var/spool/qmailscan/working/new/beast108277248847
997814 [1082772488.79754]
Fri, 23 Apr 2004 22:08:08 EDT:97814: d_m: finished /usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/beast108277248847997814/ [1082772488.83633]
Fri, 23 Apr 2004 22:08:08 EDT:97814: d_m: Checking all attachments to see if they're
MS-TNEF
Fri, 23 Apr 2004 22:08:08 EDT:97814: d_m: is
/var/spool/qmailscan/tmp/beast108277248847997814/1082772488.97816-0.beast is a TNEF
file?: 256
[1082772488.87017]
Fri, 23 Apr 2004 22:08:08 EDT:97814: d_m: unpacking message took 0.073505 seconds
Fri, 23 Apr 2004 22:08:08 EDT:97814: unsetting QMAILQUEUE env var
Fri, 23 Apr 2004 22:08:08 EDT:97814: g_e_h: return-path is "[EMAIL PROTECTED]", recips
is
"[EMAIL PROTECTED]"
Fri, 23 Apr 2004 22:08:08 EDT:97814: from=Charlie Root
<[EMAIL PROTECTED]>,[EMAIL PROTECTED]: Mail delivery failed: returning
message to sender], x-qmail-
scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 127.0.0.1
Fri, 23 Apr 2004 22:08:08 EDT:97814: ini_sc: start scanning
Fri, 23 Apr 2004 22:08:08 EDT:97814: ini_sc: recursively scan the directory
/var/spool/qmailscan/tmp/beast108277248847997814/
Fri, 23 Apr 2004 22:08:08 EDT:97814: scanloop: starting scan of directory
"/var/spool/qmailscan/tmp/beast108277248847997814"...
Fri, 23 Apr 2004 22:08:08 EDT:97814: scanloop:
scanner=clamscan_scanner,plain_text_msg=0
Fri, 23 Apr 2004 22:08:08 EDT:97814: clamscan: starting scan of directory
"/var/spool/qmailscan/tmp/beast108277248847997814"...
Fri, 23 Apr 2004 22:08:08 EDT:97814: run /usr/local/bin/clamscan -r -m --unzip --unrar
--unzoo
--lha --disable-summary --max-recursion=10 --max-space=100000 /var/spool/qmailscan/t
mp/beast108277248847997814 2>&1
Fri, 23 Apr 2004 22:08:12 EDT:97814: --output of clamscan was:
/var/spool/qmailscan/tmp/beast108277248847997814/1082772488.97816-0.beast: OK
--
Fri, 23 Apr 2004 22:08:12 EDT:97814: clamscan: finished scan of dir
"/var/spool/qmailscan/tmp/beast108277248847997814" in 3.479967 secs
Fri, 23 Apr 2004 22:08:12 EDT:97814: scanloop: finished scan of
"/var/spool/qmailscan/tmp/beast108277248847997814"...
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: starting scan of directory
"/var/spool/qmailscan/tmp/beast108277248847997814"...
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love
Letter
Virus/Trojan'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a header!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: checking for objects containing subject:
ILOVEYOU
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: '82:message/partial.*' =
'Virus-content-type' =
'Message/partial MIME attachments blocked by policy'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a header!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: checking for objects containing
content-type:
message/partial.*
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: '85:.{100,}' = 'Virus-date' = 'MIME Header
Buffer
Overflow'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a header!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: checking for objects containing date:
.{100,}
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: '86:.{100,}' = 'Virus-mime-version' = 'MIME
Header
Buffer Overflow '
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a header!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: checking for objects containing
mime-version: .{100,}
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: '87:.{100,}' = 'Virus-resent-date' = 'MIME
Header
Buffer Overflow'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a header!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: checking for objects containing
resent-date: .{100,}
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|muw
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a header!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: checking for objects containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]
rosport.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|tsnlqd@
excite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a size!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a size!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: 'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: type is a size!
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: skipping auto-generated file
1082772488.97816-0.beast
Fri, 23 Apr 2004 22:08:12 EDT:97814: p_s: finished scan of dir
"/var/spool/qmailscan/tmp/beast108277248847997814" in 0.032566 secs
Fri, 23 Apr 2004 22:08:12 EDT:97814: ini_sc: scanning message took 3.515492 seconds
Fri, 23 Apr 2004 22:08:12 EDT:97814: q_r: fork off child into
/var/qmail/bin/qmail-queue...
Fri, 23 Apr 2004 22:08:12 EDT:97824: q_r: xstatus=0
Fri, 23 Apr 2004 22:08:12 EDT:97814: cleanup: /bin/rm -rf
/var/spool/qmailscan/tmp/beast108277248847997814/
/var/spool/qmailscan/working/new/beast108277248847997814
Fri, 23 Apr 2004 22:08:12 EDT:97814: all finished. Total of 3.923533 secs
so what can I do to fix it?
Jason
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
