Goner-A problems - false alarm

Nick Phillips nwp at LEMON-COMPUTING.COM
Mon Dec 10 17:43:45 GMT 2001

On Mon, Dec 10, 2001 at 05:24:29PM -0000, brandon pearson (BITS) wrote:

> MIME-Version: 1.0
> Content-Type: multipart/related;
>          type="multipart/alternative";
>          boundary="====_ABC1234567890DEF_===="
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Unsent: 1
> Message-Id: <20011210061616.CFF69EDC4 at mmb4.vsnl.net.in>
> Date: Mon, 10 Dec 2001 11:46:16 +0530 (IST)
> X-ECS-MailScanner-BBSRC: Found to be clean
> --====_ABC1234567890DEF_====
> Content-Type: multipart/alternative;
>          boundary="====_ABC0987654321DEF_===="
> --====_ABC0987654321DEF_====
> Content-Type: text/html;
>          charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> --====_ABC0987654321DEF_====--
> --====_ABC1234567890DEF_====
> Content-Type: audio/x-wav;
>          name="HAMSTER.DOC.pif"
> Content-Transfer-Encoding: base64
> Content-ID: <EA4DMGBP9p>

Interesting. Looks like the message has been successfully passed through
the mailscanner then, as the logs would indicate, and been found to be

That would be because whatever got passed to the virus scanner was not
recognised as badtrans. This would probably be because of some kind of
problem with the MIME decoding - which at first glance does look dodgy.

If you look at the boundaries, they're all different. I can't see how
the MIME stuff that's there would decode; it looks broken. But then a
user's mailer would of course try to interpret it all as laxly as
possible, and might get bitten.

It's possible that if the MIME is not breaking down quite into the
chunks that we'd like it to, then some AV products will detect it in what
we pass them and others won't.

Which AV product are you using?

And which version of MIME-tools?



Nick Phillips -- nwp at lemon-computing.com
You should go home.

More information about the MailScanner mailing list