Folks,
I posted this yesterday but thought I'd send over the whole thing again so you can look at what's going on. I got an infected message from the RedHat Network Mailing List. This was not a bounce. It was not scanned as it was interpreted to be PLAIN Text. Norton AV at the desktop caught it and quarantined a file called ofo.zip that was attached. Following is the log entry and the entire email (minus the removed .zip file).
I'll take a stab at it...
there is one Content-Type header indicating text/plain in the message there are no other e.g. multipart headers the base64 content was indeed part of the message -body- so... QS (and clamav) IMO, did the "right thing" in considering this as TEXT (what else would they have to go by?)
I'm -guessing- that: a) the MUA did NOT display any attachment available or would not display same if you turn off Norton and allow the MUA to receive said message b) Norton has a base64 pattern for mydoom and does some other stuff to unencode/unarchive/quarantine
I agree that this is a disturbing finding, I see it myself with Norton on the users desktops.
Maybe someone with another desktop AV can report in?
+++snip+++
Wed, 11 Feb 2004 06:38:32 -0500:7585: +++ starting debugging for process 7585 by uid=502 Wed, 11 Feb 2004 06:38:32 -0500:7585: w_c: elapsed time from start 0.036366 secs Wed, 11 Feb 2004 06:38:32 -0500:7585: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED]' Wed, 11 Feb 2004 06:38:32 -0500:7585: from='[EMAIL PROTECTED]', subj='rhn-users digest, Vol 1 #903 - 1 msg', via S MTP from 66.187.233.30 Wed, 11 Feb 2004 06:38:32 -0500:7585: This is a PLAIN text message, skip virus scanners - but not SA Wed, 11 Feb 2004 06:38:32 -0500:7585: SA: required_hits=4.5 sa_quarantine=0 sa_delete=9.9 Wed, 11 Feb 2004 06:38:32 -0500:7585: SA: finished scan in 1.834806 secs - hits=2.2 Wed, 11 Feb 2004 06:38:32 -0500:7585: p_s: finished scan in 0.014179 secs Wed, 11 Feb 2004 06:38:32 -0500:7585: ini_sc: finished scan of "/var/spool/qmailscan/tmp/corpsrvr10764995125477585"... Wed, 11 Feb 2004 06:38:32 -0500:7585: ini_sc: elapsed time from start 1.916624 secs Wed, 11 Feb 2004 06:38:34 -0500:7585: ------ all finished. Total of 2.049754 secs
+++snip+++
+++ email message +++
Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 7593 invoked by uid 570); 11 Feb 2004 11:38:34 -0000 Received: from [EMAIL PROTECTED] by corpsrvr by uid 502 with qmail-scanner-1.20st (fprot(2004-02-10)/avp(2004-02-09). spamassassin: 2.61. Clear:RC:0(66.187.233.30):SA:0(2.2/4.5):. Processed in 1.927499 secs); 11 Feb 2004 11:38:34 -0000 X-Spam-Status: No, hits=2.2 required=4.5 X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via corpsrvr X-Qmail-Scanner: 1.20st (Clear:RC:0(66.187.233.30):SA:0(2.2/4.5):. Processed in 1.927499 secs) Received: from unknown (HELO hormel.redhat.com) (66.187.233.30) by britannicaviation.com with SMTP; 11 Feb 2004 11:38:32 -0000 Received: from listman.back-rdu.redhat.com (listman.back-rdu.redhat.com [10.10.2.136]) by hormel.redhat.com (Postfix) with ESMTP id 2B883136042; Wed, 11 Feb 2004 06:38:33 -0500 (EST) Date: Wed, 11 Feb 2004 06:36:02 -0500 Message-ID: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] Subject: rhn-users digest, Vol 1 #903 - 1 msg X-Mailer: Mailman v2.0.13 MIME-version: 1.0 Content-type: text/plain To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.0.13 Precedence: junk Reply-To: [EMAIL PROTECTED] X-Reply-To: [EMAIL PROTECTED] List-Help: <mailto:[EMAIL PROTECTED]> List-Post: <mailto:[EMAIL PROTECTED]> List-Subscribe: <https://www.redhat.com/mailman/listinfo/rhn-users>, <mailto:[EMAIL PROTECTED]> List-Id: Red Hat Network Users List <rhn-users.redhat.com> List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/rhn-users>, <mailto:[EMAIL PROTECTED]> List-Archive: <https://www.redhat.com/archives/rhn-users/> Content-Transfer-Encoding: base64
VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4NCg0KLS0tLS0t PV9OZXh0UGFydF8wMDBfMDAwMl83MjUzNTdGMi5FNDc2NEQ5Mg0KQ29udGVudC1UeXBlOiB0 ZXh0L3BsYWluOw0KCWNoYXJzZXQ9IldpbmRvd3MtMTI1MiINCkNvbnRlbnQtVHJhbnNmZXIt RW5jb2Rpbmc6IGJhc2U2NA0KDQpqdjdrVEo1T2NjbnAxS1pKYzk3c09zN2toR3NOQ3U3WGRG QkxwOURacWZJL1lKUFN3ZlAxV0piYXkrMC9wNlBTVjFaa1R1U3oNCjJGajExbC83TXFmUmlN SWlMb1RQU2tlUTNzNGxRZlowYWcwS3ZycjVxbG5sM0NsYzhWN2JoL04yeTZYd3dsaSs3NG9O Q25Xcg0KNVQ5VGh5VFlkc21UNVdLMjZTYkpiVVJUWit6aG1jaXdoMXl1Tlk0TkNvK1BXbjNN UnAyNkxWNDNPWWJyMDBPWGZFMldyWjNaDQpkTXJrKytWVUpMN3UxakV6Tm5nTkNpZjJOSEZ3 VWtPWGthdERialNybGErWC9ubDNxc05xZUVtclo1MXJpZk90UXBjbHNpYksNCkRRcDZ0cjlK WGllMFV6Q040b3ZJT3kwN1FaZjZ3aXJYNFR6TXkzbHZhTEZrS1ZJeG1EeURTdGtqcUlpYk1l cER6SGFReitLMg0KRFFwTGpzZnlWYTVuVlcvTlZZSEJXTnFJUDdoRldYTkdPNXI3MGpRazdJ d29OdHA1Wk1ySmUzZnlpekNoYnBQM2RVWFJYejZJDQpydHhrMGwzaWR5VHNsWnpDbm5meTdT Smc1V1l2bmJJbmpGZVo3VFB3UWNYQTNEVWtqTDVqTHo1eU1VVFJxMTNJS2Q5TXBJdkkNCmhN VGxNcGx6K0tPVytJak10SVZleFBEU2xJU1p1MkxHWE9PM1U1aDhTeS80eW5CR0RRcnhaL0Vw S21mbXpvM0RPcHZRWkppVg0KZCtOYkRRcWZzRklobHBFNFdJdkNlbm5JdDZWRTlaUGJZck5z VUYyOUwvYk5hSmp1N2pjbjQ5RGNKL0xYdXZXb09tcUNpSVk3DQoxb3VzaXBtcThrcytyQ0dx MWMrYnkzeVNWU1NTUHNCRDA4cnVZNzAxWmlxYUtvbjU3NHE2S3EreERRb3o3RU4xUk5TRU04 V2QNClVyWnVZc0czTi9DODF2eWFkMkowU2lPYTEzYjlNL09YckYyL0kyWHdvaTlqczFuNjFX OUNZL295clp4clRTQkV6NG14UmR4Yw0KZ3FKc3FjcG9zLzU1U1pITW1YVXZtZUo5WS9sTjc3 UDdXYTBxMDVHZXMvQ0pVM240d2pkVktTOXJXSzJlcUZHSU1JVmpsSzR4DQoyMjVsRFFyNE5t TktwZTVSbjFYK1B5amJ4ZGFSUm1MalNLQjM0bDdFeEtRMk9iUFptK3hMT21aZDdqcnhvVVND N1o3MWR1OXoNCngxYk40eURkbEU0MTJ1UHk1OHI0ZFc1RXhWdFZsVkNiL0Q4TkNqTEU0NUF2 cEV0alplNmoyWXB0ajVxWFI0aStPRXYzaE9WdQ0KZlhHS2ZlYmpjM1phNG9OTVZXanVKNjZD V2Z4VlJiTXVKcHl4a0c1YktGVjZXVCt2TDRUa2RZSnRkSGZ6cExnK01sZGErTHhQDQpYa203 cWlvdlJLdWZyVit3Yld6R29HZHQ5NjIyVHF5ZE4wb05DcU9oZEdOcWNiT1dYOWszblBkK2VF dy9YVUcyYlRaOVhJWU4NCkN2TnR0cVpkVkZmcTVOajdlTlZyNHN1TmZiSmlyb01nOGFpWGRj ZGtEUXJDTHJYRHI2N20yZVpyaVpkYVJ6K25aWHpNNEYzcA0KN1ROeVRFTGZwV0YrM1NYdXhK eTJZYVZ0NmJPeDNUWmJXVTd0MEdvcGJrTElLY3VUY1czWGZnMEs4OWR4aXJLdHM4NVl4REIr DQozOHZieE83Q1JvSlNhclFOQ21FMDhQNlpKSGhReVppcHdsNUNJaTFDbFlyaStQUWd0VkJS d29QSVJxRDNxNnpzMDhRTkN1QjUNCjRjMzl2b2U0b0ZPNXRvcnhzaUVsb0VwVmZFM0RtQTBL ejJZMlkrOVFkUHJmakhmQzRFUTJmSktjYVB1cUlJYnpUa0tJWm54cQ0KcW5uMGpHSWk4eUdJ NVptSjlObm4vbUIzNTJTb1k0eGpUZm45N2I4eEtEdnhVdUdJaTYxRTFDcEgvYUtnWEhlVXRL YTZVeUR3DQpVNkNlY2EyVTZOMjZzSjNkUytWblJ0UjdRNjlCNkREbnNsSEZRVHRkUmlVdVFz MWl1SVdQY0YyM1VLRnFkV3pCb0tGa1NQVGQNCnQraXd4UGdOQ21sMXhIUkg4V0k2c3Fzd1Yv Um8zdUIya09KMDhNQkRoVUxMdncwS0RRb05DaTB0TFMwdExUMWZUbVY0ZEZCaA0KY25SZk1E QXdYekF3TURKZk56STFNelUzUmpJdVJUUTNOalJFT1RJTkNrTnZiblJsYm5RdFZIbHdaVG9n Y0d4aGFXNHZkR1Y0DQpkRHNOQ2dsdVlXMWxQU0pPYjNKMGIyNGdRVzUwYVZacGNuVnpJRVJs YkdWMFpXUXhMblI0ZENJTkNrTnZiblJsYm5RdFZISmgNCmJuTm1aWEl0Ulc1amIyUnBibWM2 SUdKaGMyVTJOQTBLUTI5dWRHVnVkQzFFYVhOd2IzTnBkR2x2YmpvZ1lYUjBZV05vYldWdQ0K ZERzTkNnbG1hV3hsYm1GdFpUMGlUbTl5ZEc5dUlFRnVkR2xXYVhKMWN5QkVaV3hsZEdWa01T NTBlSFFpRFFvTkNsUnRPWGxrDQpSemwxU1VWR2RXUkhiRmRoV0VveFkzbENlVnBYTVhaa2JW WnJTVWhTYjFwVFFtaGtTRkpvV1RKb2RGcFhOVEJQYVVKMldtMDQNCmRXVnRiSGRNWnpCTFZr ZG9iQTBLU1VkR01HUkhSbXBoUnpGc1ltNVJaMlF5Um5wSlIyeDFXbTFXYW1SSFZtdEpTR1J3 WkVkbg0KWjJSSGFHeEpSbU42VFdrMVQySXpXbWhqYldOMVVWVkNkR0pUUWpKaFdFb3hEUXBq ZVRROURRbz0NCg==
+++ end email message +++
Perhaps someone can discover why this was not scanned. I have redundant scanning on and I use f-secure which consistently finds the virus if it gets a chance to scan it. Thanks.
Rgds,
__________________________ Greg Kelley, Technology Director Britannic Aviation, US and UK US Office: Pease Int'l Tradeport 68 New Hampshire Ave. Portsmouth, NH 03801 603.766.3005 http://www.britannicaviation.com AOPA, EAA, SSA CFII SEL, MEL; Comm Glider
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
