virus from 'support@microsoft.com' not blocked?

Julian Field mailscanner at ecs.soton.ac.uk
Wed May 28 08:42:20 IST 2003


At 08:34 28/05/2003, you wrote:
>On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
>>No, it didn't. This is why I sent a the mail to the list. The fact that
>>mcafee didn't spot it was due to my own mistake I didn't check whether
>>the
>>dat files were updated.
>>
>>But.... MailScanner did not block the .pif from that particular virus.
>>It
>>does block a random text file which is renamed to whatever.pif but this
>>virus was passed without filtering.
>>
>>Maybe the virus is generation some sort of invalid mail format which
>>causes MailScanner not to recognize the attachment or the attacjhment
>>filename?
>
>Like I mentioned in a previous message, it is possible to name a file
>in a way where MS will not match a filename rule it would otherwise
>match - presuming it hasn't been remedied.
>
>Please send the original message - stuffed in an attachment or quoted -
>so I can determine if there is a known virus using weird file name
>attribution.

<aol>Me too!</aol>
Please tell me what version of MailScanner is not detecting the filename
correctly, and also send me the original message in a zip file, so I can
get all the raw headers out of it and see what its MIME structure looks like.

This is clearly a problem only affecting some people, so it may be a bug I
have already fixed.


>Craig
>
>>On Tue, 27 May 2003, Craig Pratt wrote:
>>
>>>On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
>>>>Hi!
>>>>
>>>>>RavAV's been catching it w/o issue:
>>>>>
>>>>>The following e-mail messages were found to have dangerous content:
>>>>>
>>>>>      Sender: support at microsoft.com
>>>>>IP Address: 68.4.203.36
>>>>>   Recipient: [chomp]
>>>>>     Subject: Re: Movie
>>>>>   MessageID: h4MJ12gC000237
>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
>>>>>Win32/Sobig.B at mm
>>>>>Shortcuts to MS-Dos programs are very dangerous in email
>>>>>(your_details.pif)
>>>>
>>>>Sorry, there are various versions of this virus floating around. RAV
>>>>dont
>>>>pick them up all. Really. We have a open case by RAV for this. I have
>>>>seen f-prot picking up them all, McAfee and RAV did pass some
>>>>variants.
>>>>
>>>>Bye,
>>>>Raymond.
>>>
>>>Yikes - thanks for the heads-up! I'll keep an eye out for this.
>>>
>>>I hope/presume the filename rule still blocked them?
>>>
>>>Craig
>>>
>>>---
>>>Craig Pratt
>>>Strongbox Network Services Inc.
>>>mailto:craig at strong-box.net
>>>
>>>
>>>--
>>>This message checked for dangerous content by MailScanner on
>>>StrongBox.
>>>
>---
>Craig Pratt
>Strongbox Network Services Inc.
>mailto:craig at strong-box.net
>
>
>--
>This message checked for dangerous content by MailScanner on StrongBox.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list