sobig and MS headers

Paul zen23003 at ZEN.CO.UK
Tue Aug 26 11:57:20 IST 2003


Just got back from holiday, so only recently spotted this problem on the
MailScanner site (http://www.sng.ecs.soton.ac.uk/mailscanner/sobig.html).

I notice the default settings in MailScanner.conf is "Sign Messages Already
Processed = no".

Just to clarify, if a box running MailScanner with default settings receives
the Sobig.F virus with the fake "X-MailScanner: Found to be clean" header,
will it replace "X-MailScanner: Found to be clean" with "X-MailScanner:
Found to be infected"?

----- Original Message -----
Date:         Tue, 19 Aug 2003 16:28:50 +0100
From:         Julian Field <mailscanner at ECS.SOTON.AC.UK>
Subject:      Re: sobig and MS headers

To verify the point about what headers are used for what, the headers are
only used in 1 place.

When you have a clean message that you are about to sign
         "Sign Clean Messages = yes"
the presence of the main MailScanner header
         "Mail Header = X-MailScanner:"
is checked. If it is already present, and
         "Sign Messages Already Processed = no"
then the inline signature will not be added.

This is so that each message leaving your site is only signed once, no
matter however many of your MailScanner systems it passes through on its
way out of your site.



More information about the MailScanner mailing list