virus from '' not blocked?

Julian Field mailscanner at
Wed May 28 08:42:20 IST 2003

At 08:34 28/05/2003, you wrote:
>On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
>>No, it didn't. This is why I sent a the mail to the list. The fact that
>>mcafee didn't spot it was due to my own mistake I didn't check whether
>>dat files were updated.
>>But.... MailScanner did not block the .pif from that particular virus.
>>does block a random text file which is renamed to whatever.pif but this
>>virus was passed without filtering.
>>Maybe the virus is generation some sort of invalid mail format which
>>causes MailScanner not to recognize the attachment or the attacjhment
>Like I mentioned in a previous message, it is possible to name a file
>in a way where MS will not match a filename rule it would otherwise
>match - presuming it hasn't been remedied.
>Please send the original message - stuffed in an attachment or quoted -
>so I can determine if there is a known virus using weird file name

<aol>Me too!</aol>
Please tell me what version of MailScanner is not detecting the filename
correctly, and also send me the original message in a zip file, so I can
get all the raw headers out of it and see what its MIME structure looks like.

This is clearly a problem only affecting some people, so it may be a bug I
have already fixed.

>>On Tue, 27 May 2003, Craig Pratt wrote:
>>>On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
>>>>>RavAV's been catching it w/o issue:
>>>>>The following e-mail messages were found to have dangerous content:
>>>>>      Sender: support at
>>>>>IP Address:
>>>>>   Recipient: [chomp]
>>>>>     Subject: Re: Movie
>>>>>   MessageID: h4MJ12gC000237
>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
>>>>>Win32/Sobig.B at mm
>>>>>Shortcuts to MS-Dos programs are very dangerous in email
>>>>Sorry, there are various versions of this virus floating around. RAV
>>>>pick them up all. Really. We have a open case by RAV for this. I have
>>>>seen f-prot picking up them all, McAfee and RAV did pass some
>>>Yikes - thanks for the heads-up! I'll keep an eye out for this.
>>>I hope/presume the filename rule still blocked them?
>>>Craig Pratt
>>>Strongbox Network Services Inc.
>>>mailto:craig at
>>>This message checked for dangerous content by MailScanner on
>Craig Pratt
>Strongbox Network Services Inc.
>mailto:craig at
>This message checked for dangerous content by MailScanner on StrongBox.

Julian Field
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list