Sobig bypassing mailscanner queues

Joan Bryan joan.bryan at KCL.AC.UK
Thu Aug 21 10:51:21 IST 2003


We're having severe difficulties in trapping all the sobig virus, as a
small percentage seems to be by passing the mailscanner input queues,
i.e. the messages appear to be  being put directly in the output queue,
as we also trap on pif and scr via filename rules.

Incidentally we trapped 118,555 instances of the sobig virus yesterday.

Unfortunately we don't seem to be able to repeat or trace these
messages. I wonder if there is anyone one on the list who is able to
help? We are running sendmail and I suspect our sendmail configuration.

Here is an example from the mail log:-


g 21 03:47:20 angelo sendmail[13587]: [ID 801593 mail.info] h7L2lJ6V013587: from=<cgowling at hotmail.com>, size=103238, class=0, nrcpts=1, msgid=<200308210247.h7L2lJ6V013587 at angelo.kcl.ac.uk>, proto=SMTP, daemon=MTA, relay=ent.umds.ac.uk [159.92.16.14]
Aug 21 03:47:20 angelo sendmail[13590]: [ID 801593 mail.info]
h7L2lJ6V013587: to=user1, delay=00:00:00, xdelay=00:00:00, mailer=local,
pri=120544, dsn=2.0.0, stat=Sent
Aug 21 03:47:20 angelo sendmail[13590]: [ID 801593 mail.info]
h7L2lJ6V013587: to=user2, delay=00:00:00, xdelay=00:00:00, mailer=local,
pri=120544, dsn=2.0.0, stat=Sent
Aug 21 03:47:20 angelo sendmail[13590]: [ID 801593 mail.info]
h7L2lJ6V013587: to=user3, delay=00:00:00, xdelay=00:00:00, mailer=local,
pri=120544, dsn=2.0.0, stat=Sent

The header has not been signed by the mailscanner here as we have a
different signature.

Thanks for any pointers.


----------------------
Joan Bryan
Unix Systems Administrator
Information Systems
Telephone: +44 (0) 20 7848 2671
mailto:joan.bryan at kcl.ac.uk



More information about the MailScanner mailing list