Gossamer Forum
Home : Products : Gossamer Mail : Discussion :

[VIRUS in EMAIL!] How to identify a message file ownership?

Quote Reply
[VIRUS in EMAIL!] How to identify a message file ownership?
Hello!

I was making a backup and then copying it on my local harddrive. There were two viruses found in the compressed data.

It would be helpful to warn the users about it AS THEY ARE VERY DANGEROUS VIRUSES.

How can I go about it? Is there a long term solution for such events which may most likely happen again?

Last edited by:

rajani: Aug 11, 2002, 1:05 AM
Quote Reply
Re: [rajani] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Hello Staff!

There are two Virus worms somewhere in the data directory. They belong to two fifferent UserIDs.

Investigating this further, I tried to do a query as following:

SELECT `msgdata_filename`,`msgdata_mid`,`msgdata_mid`,`msgtrack_userid`
FROM `Email_msgtrack`,`Email_msgdata`
WHERE msgdata_mid = msgtrack_mid
LIKE 'msgdata_filename = filename%'

But the query needs to be corrected.

Tried to find out from phyMyadmin, I got it manually. Then I checked the email box from the admin.

In case of USER ONE:

I had to laugh. Because it shows:

In the left menu: Inbox (70/55)
On the right: You have 70 message(s) total and 80 unread message(s) in this folder.

So this user has ten messages in the box somewhere that are ghost. One of the ghost is a VIRUS.

There was no possibility to find out this particular message as msgtrack_id did not appear.

The user has no chance to find it out but this one needs to be a research project for GT.

In case of USER TWO:

The file with msgtrack_id also did appear in the message header. The user has only two messages, unread. It was possible to delete.
Quote Reply
Re: [rajani] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Hi,

The virus pose no threat to your server, but do pose a threat to your user if he downloads and executes the program.

We are looking at partnering with a commercial anti virus provider, but are having troubles finding one that will work via command line on linux (and bsd/solaris and windows too), easy to install, and is reasonably priced (many command line scanners for unix are more then $3,000, not including updates). If anyone has experience with a good anti virus scanner that is reasonably priced, I'd love to hear about it and we will contact them to see what we can do.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Hi Alex,

Just have a look at:

http://www.ravantivirus.com I had installed the same but could not give it a go coz of my lower version of Courier-MTA. Commercially, a 6 domain license would cost 450 USD as offered to me and the updates are all run as a daemon process. The AV is available for following Mail Servers and OS combination:



Sendmail

Sendmail
Libmilter

Qmail

Postfix

CommuniGate
Pro

Exim

MS Exchange 5.5

MS Exchange 2000

DMail

Courier

I am looking for someone to upgrade my courier-mta to the latest version and then again I'll have a go. They offer free testing on two domains for 60 days and installation from commandline is just two minutes job at the most.

Thnx

Anup

PS: Sorry for the formatting. I am not sure how to get the table tags up on Forum....

Last edited by:

anup123: Aug 13, 2002, 10:21 AM
Quote Reply
Re: [anup123] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Thanks, I'll have a look. Very strange that 6 domains is cheaper then 5, but hey. =)

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Quote:
Very strange that 6 domains is cheaper then 5, but hey. =)



Yes it is. In fact had I been able to test it I would have negotiated further on the cost and you know what industry standards are when it comes to offering discounts ;-)

In addition GT can always signup for the OEM partner program (which would probably get greater discounts).

Anup

Last edited by:

anup123: Aug 13, 2002, 10:48 AM
Quote Reply
Re: [Alex] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Hi.

ravanitvirus killed by M$. They have purchased IPR of GeCad and they wouldn't be taking any new orders. Another M$ move dictated more by money power. No more good cheap AV software for MTA's on Linux?

Anup
Quote Reply
Re: [anup123] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Hello,

We are currently usgin clamav as antivirus ( + Mailscanner + Mailwatch). We've installed it about 6 months ago and it works perfectly, after tunning it a little bit. It upgrades automatically and you don't have to worry about licenses, installing new versions as Sophos.

We configured Mailscanner in other to scan all emails using Sophos and ClamAV. After three months when Sophos trial ended, Sophos only detected one more virus than ClamAV in a total of 3000 aprox. However with Sophos we had to upgrade license so it was a little bit anoying.

I just though it could be useful if anybody is planning to install an antivirus system. Smile

Regards,

NArcís
Quote Reply
Re: [narcis] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Hi.

Reading this I did ClamAV+Mailscanner+Spamassassin install. Excellent. The installation was easy with cPanel . However, any idea to have SpamAssassin to be set in Auto Learn=Yes which is currently set to no by default.

Thanks for input. After takeover of RAV by M$, affordable AV stuff was hard to find, and this is *Free*

Anup
Quote Reply
Re: [narcis] [VIRUS in EMAIL!] How to identify a message file ownership? In reply to
Hi.

In case you are on Exim, try exiscan+clamav combination. I upgraded to 4.34 and switched from Mailscanner+clamav to exiscan+clamav
Greatly reduced server loads.
Connection refused at smtp level so all bounces to fake addresses queing up is eliminated :-)

Thanks
Anup