Virus Klez.H and McAfee

Julian Field jkf at ecs.soton.ac.uk
Thu May 9 10:22:51 IST 2002 

At 21:02 08/05/2002, you wrote:
>Martin Sapsed wrote:
> >
> > Freerk Kalsbeek wrote:
> > > I've seen a similar problem here.
> > > Klez is also detected in my setup with Sophos. I receive an HTML
> formatted
> > > email indicating that I can read details in the attachment
> virusalert.txt,
> > > but the attachment is not there.
> >
> > I had one this morning which was disinfected but all I see (in Netscape
> > Messenger) is a base64 encoded attachment. My guess is that the original
> > message uses slightly iffy MIME tags
>
>Correct. (the problem is a double boundary line)
>
> > and Julian's insertion of the warning doesn't quite work.
>
>Correct. (it doesn't handle multipart/alternative messages very well)
>
> > I've still got what was left if anyone who understands
> > MIME or MailScanner better than I wants to look at it?
>
>
>The following recent threads are also about this exact same problem
>(actually two separate, semi-related problems):
>
>   * Malformed attachments from MailScanner?
>   * Klez Virus get Passed !
>   * "Inline Text Warning" and "Stored Virus Message Report"
>
>I think the only workaround to be posted so far is Miroslav Spousta's
>suggestion of adding a "$parser->ignore_errors(0)" instruction to
>explode.pl. This, apparently, will cause MailScanner to completely
>discard messages containing Klez.

I don't like the sound of that, it causes mail to get thrown away which is
a "very bad thing".

>That change seems like a good thing to do in principle, but shouldn't
>the recipient at least receive a warning message when an unparseable
>message is discarded?
>
>(And in this case, it seems to me that MIME-tools ought to be able to
>parse the Klez messages. As of at least version 5.503, it can't, and
>even its fallback behavior seems rather poor.)
>
>And I'd still like to know if there's an easy way to change
>"multipart/alternative" messages to "multipart/mixed" if MailScanner
>adds a warning to them.

That sounds like a good idea. I'll work on that.
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list