Sobig.E Getting Through Intermittently

Nathan Johanson nathan at TCPNETWORKS.NET
Thu Jun 26 17:43:05 IST 2003 

Hello,

We have been intermittent copies of Sobig.E getting through MailScanner
w/ F-prot. The virus is inside a zip file called "your
details.zi)--notice that renamed extension. The file squeezed through
and it's apparently related to the format of the message as it passed
through Sendmail. Please see the log excerpt below. I broke out the
rather conspicuous error that's logged by Sendmail. I received several
of these yesterday. Does anyone know what this is about or how to guard
against it in the future?

Truncated MIME Content-Disposition header due to field size (length =
28) (possible attack) -- see log excerpt below for full context (error
is preceded with ***).

==Sendmail Log Excerpt==

Jun 25 18:09:46 ns1 sendmail[20939]: h5Q19f220939:
from=<sales at yellow.com>, size
=111823, class=0, nrcpts=1,
msgid=<200306260109.h5Q19f220939 at server.comain.com
>, proto=ESMTP, daemon=MTA, relay=[IP ADDRESS]
Jun 25 18:09:46 ns1 sendmail[20939]: h5Q19f220939: to=<user at domain.com>,
delay=00:00:05, mailer=smtp, pri=141823, stat=queued
Jun 25 18:09:48 ns1 MailScanner[20654]: New Batch: Scanning 1 messages,
112312 b
ytes 
Jun 25 18:09:48 ns1 MailScanner[20654]: Spam Checks: Starting 
Jun 25 18:09:49 ns1 MailScanner[20654]: Virus and Content Scanning:
Starting 
Jun 25 18:09:49 ns1 MailScanner[20654]: Uninfected: Delivered 1 messages


*** Jun 25 18:09:52 ns1 sendmail[20950]: h5Q19f220939: Truncated MIME
Content-Dispos
*** ition header due to field size (length = 28) (possible attack)

Jun 25 18:09:53 ns1 sendmail[20950]: h5Q19f220939: to=<user at domain.com>,
delay=00:00:12, xdelay=00:00:04, mailer=smtp, pri=231823,
relay=mail.domain.com. [IP ADDRESS], dsn=2.0.0, stat=Sent (OK)

===VirusWarning.txt snippet from infected message===
The user who received the message actually forwarded the message back to
me. It passed through a different MailScanner protected server and was
caught this time. This is the virus warning I received.

The original e-mail attachment "your_details.zi"
was believed to be infected by a virus and has been replaced by this
warning
message.

At Thu Jun 26 08:57:26 2003 the virus scanner said:
   your_details.zi->details.pif  Infection: W32/Sobig.E at mm

Sincerely,

Nathan Johanson
Email: nathan at tcpnetworks.net

More information about the MailScanner mailing list