Date: Fri, 3 Apr 2009 06:48:29 GMT From: Sergey <starikov@caotus.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/133333: ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state Message-ID: <200904030648.n336mTGm086465@www.freebsd.org> Resent-Message-ID: <200904030650.n336o17a027492@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 133333 >Category: ports >Synopsis: ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 03 06:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Sergey >Release: FreeBSD 6.3-RELEASE #0 >Organization: >Environment: FreeBSD mail.mydomain.ru 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Mon Dec 22 11:03:36 MSK 2008 root@mail.mydomain.ru:/usr/obj/usr/src/sys/CUSTOM_KERNEL i386 >Description: ClamAV is running as a milter for sendmail Version 8.14.2 Problem appeared after the update of ClamAV from 0.94.2 to 0.95. Normally ClamAV rejects viruses like: clamd.log: Apr 3 04:20:17 gw-1 clamav-milter[82788]: Message n330KFwi084209 from <> to <my-user> with subject 'Mail delivery failed: returning message to sender' message-id '<E1LpX8m-0006jH-82@fam6.famatech.com>' date 'Thu, 02 Apr 2009 19:20:12 -0500' infected by Worm.SomeFool.P maillog: Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: from=<>, size=43403, class=0, nrcpts=1, msgid=<E1LpX8m-0006jH-82@fam6.famatech.com>, proto=ESMTP, daemon=IPv4, relay=mx.mydomain.ru [194.186.213.3] Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add): header: X-Virus-Status: Infected (Worm.SomeFool.P) Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter: data, reject=550 5.7.1 We don't receive viruses like Worm.SomeFool.P Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: to=<my-user@mydomain.ru>, delay=00:00:02, pri=73403, stat=We don't receive viruses like Worm.SomeFool.P But when it meets Worm.Mydoom.I the behaviour changes to: clamd.log, just: Apr 3 08:14:23 gw-1 clamd[39534]: fd[10]: Worm.Mydoom.I FOUND maillog: Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: from=<irina.mashkina@russianpost.ru>, size=31040, class=0, nrcpts=1, msgid=<200904030414.n334EMWU090084@gw-1.caotus.ru>, proto=ESMTP, daemon=IPv4, relay=gw-3.caotus.ru [194.186.213.3] Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add): header: X-Virus-Status: Infected (Worm.Mydoom.I) Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: milter_sys_read(clmilter): cmd read returned 0, expecting 5 Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter (clmilter): to error state Apr 3 08:14:23 gw-1 sm-mta[90085]: n334EMWU090084: <my-user@mydomain.ru>, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=151427, relay=local, dsn=2.0.0, stat=Sent As the result ClamAV antivirus: 1. Passes the infected e-mail to local users 2. Stops anti-virus scanning of e-mails and begins cheching after restart, until it catches the next Worm.Mydoom.I >How-To-Repeat: 1. Turn on mail server, which uses ClamAV Milter; 2. Send via this e-mail server some test letters, contains viruses (one of them, but not first and not the last must be Worm.Mydoom.I); 3. Read clamd.log and maillog >Fix: As a temporary, rather bad fix I've have to fall back on ClamAV-0.94.2. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904030648.n336mTGm086465>