Sophos issues

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Wed Jan 29 14:41:59 GMT 2003 

Le mar 28/01/2003 à 16:33, Julian Field a écrit :
> If it gained a winmail.dat then an Exchange Server is involved somewhere en 
> route, or else he was using Outlook with "Rich Text Format" enabled.

None of the above are true.  The message I received did not have any
winmail.dat in it and was addresses to me AND to the sender.  The
headers clearly indicate that no Exchange server was used (smtp2 is my
Linux MailScanner relay and courriel is my Cyrus-IMAP server):

Return-Path: <andre.fredette at USherbrooke.ca>
Received: from courriel.usherbrooke.ca ([unix socket]) by
        courriel.usherbrooke.ca (Cyrus v2.1.8) with LMTP; Tue, 28 Jan 2003 16:00:04
        -0500
X-Sieve: CMU Sieve 2.2
Received: from smtp2.usherbrooke.ca (smtp2.usherb.ca [132.210.13.6]) by
        courriel.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SL03j18663 for
        <bead2306 at livraison.locale>; Tue, 28 Jan 2003 16:00:03 -0500
Received: from STI106 ([132.210.180.18]) by smtp2.usherbrooke.ca
        (8.11.6/8.11.6) with ESMTP id h0SKxwK10556 for
        <Denis.Beauchemin at USherbrooke.ca>; Tue, 28 Jan 2003 15:59:58 -0500
From: =?iso-8859-1?Q?Andr=E9_Fredette?= <andre.fredette at USherbrooke.ca>
To: "Denis Beauchemin" <Denis.Beauchemin at USherbrooke.ca>, "=?iso-8859-1?Q?Andr=E9_Fredette_\=28Andr=E9_Fredette\=29?=" <Andre.Fredette at USherbrooke.ca>
Subject: TEST EXTRENTION   ???.XML
Date: Tue, 28 Jan 2003 15:59:57 -0500
Message-ID: <000c01c2c710$36dc8120$12b4d284 at STI106>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_000D_01C2C6E6.4E067920"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
X-MailScanner: Aucun code suspect =?ISO-8859-1?Q?d=E9tect=E9?=
X-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (Courriel
        dXpassant la taille maximale)
X-Evolution-Source: imap://bead2306@courriel.usherbrooke.ca/

------=_NextPart_000_000D_01C2C6E6.4E067920
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000E_01C2C6E6.4E08EA20"
...

------=_NextPart_001_000E_01C2C6E6.4E08EA20
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; CHARSET=iso-8859-1
...

------=_NextPart_001_000E_01C2C6E6.4E08EA20
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; CHARSET=iso-8859-1
...

------=_NextPart_001_000E_01C2C6E6.4E08EA20--

------=_NextPart_000_000D_01C2C6E6.4E067920
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="S812.CHOIXET.XML"
Content-Type: text/xml; NAME=S812.CHOIXET.XML

<?xml version=3D"1.0" encoding=3D"ISO-8859-1" standalone=3D"yes" ?>
...


Here are the headers from the message he received:

Return-Path: <andre.fredette at USherbrooke.ca>
Received: from courriel.usherbrooke.ca ([unix socket])
        by courriel.usherbrooke.ca (Cyrus v2.1.8) with LMTP; Tue, 28 Jan 2003 16:00:14 -0500
X-Sieve: CMU Sieve 2.2
Received: from smtp2.usherbrooke.ca (smtp2.usherb.ca [132.210.13.6])
        by courriel.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SL0Ej18703
        for <frea1502 at livraison.locale>; Tue, 28 Jan 2003 16:00:14 -0500
Received: from STI106 ([132.210.180.18])
        by smtp2.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SKxxK10558
        for <Andre.Fredette at USherbrooke.ca>; Tue, 28 Jan 2003 15:59:59 -0500
From: =?iso-8859-1?Q?Andr=E9_Fredette?= <andre.fredette at USherbrooke.ca>
To: "Denis Beauchemin" <Denis.Beauchemin at USherbrooke.ca>,
   "=?iso-8859-1?Q?Andr=E9_Fredette_\=28Andr=E9_Fredette\=29?="
<Andre.Fredette at USherbrooke.ca>
Subject: {VIRUS} TEST EXTRENTION   ???.XML
Date: Tue, 28 Jan 2003 15:59:57 -0500
Message-ID: <001201c2c710$37727f90$12b4d284 at STI106>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0013_01C2C6E6.4E9C7790"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
X-MS-TNEF-Correlator: 00000000FA556A646B57924283742D2D536E9DD624B02100
X-MailScanner: Code suspect =?ISO-8859-1?Q?d=E9tect=E9?=
X-MailScanner-SpamCheck: n'est pas un polluriel,
        SpamAssassin (Courriel dXpassant la taille maximale)


Now, can you find something out of this???

Denis
> 
> Please can you try a route that does not involve any winmail.dat files.
> 
> The version that came to you was perfectly intact, so that route is working 
> (which I assume involved MailScanner somewhere).
> 
> At 21:27 28/01/2003, you wrote:
> >Julian,
> >
> >I upgraded to 3.66 and asked a user to send me the test file that caused
> >problems last week.
> >
> >Turns out the problem is still there!  He sent me a file with an XML
> >extension (no trace of this one in filename.rules.conf) and put his own
> >email address in cc:.
> >
> >I received the file OK and have been able to load it in Mozilla.
> >
> >He received an error message with the subject changed to include {VIRUS}
> >and the following error message:
> >Could not check winmail.dat (corrupt)
> >
> >Strange thing: his message had no winmail.dat in it (there was none in
> >the copy I received), just the S812.CHOIXET.XML file.
> >
> >He also received a second message saying that his PC was probably
> >infected and should be checked...  again, the message included:
> >Could not check winmail.dat (corrupt)
> >
> >Any ideas what is going on?
> >
> >Denis
> >

-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list