virus from 'support@microsoft.com' not blocked?
Mirko Bovati
bovati at MONDADORI.COM
Wed May 28 12:54:37 IST 2003
On Wednesday 28 May 2003 09:42, you wrote:
> At 08:34 28/05/2003, you wrote:
> >On Wednesday, May 28, 2003, at 12:24 AM, Remco Barendse wrote:
> >>No, it didn't. This is why I sent a the mail to the list. The fact that
> >>mcafee didn't spot it was due to my own mistake I didn't check whether
> >>the
> >>dat files were updated.
> >>
> >>But.... MailScanner did not block the .pif from that particular virus.
> >>It
> >>does block a random text file which is renamed to whatever.pif but this
> >>virus was passed without filtering.
> >>
> >>Maybe the virus is generation some sort of invalid mail format which
> >>causes MailScanner not to recognize the attachment or the attacjhment
> >>filename?
> >
> >Like I mentioned in a previous message, it is possible to name a file
> >in a way where MS will not match a filename rule it would otherwise
> >match - presuming it hasn't been remedied.
> >
> >Please send the original message - stuffed in an attachment or quoted -
> >so I can determine if there is a known virus using weird file name
> >attribution.
>
> <aol>Me too!</aol>
> Please tell me what version of MailScanner is not detecting the filename
> correctly, and also send me the original message in a zip file, so I can
> get all the raw headers out of it and see what its MIME structure looks
> like.
Unfortunatly I haven't any message that may help becouse the users
deleted it.
THe version of MailScanner not detecting I run is mailscanner-4.12-2.
thanks
Mirko Bovati
>
> This is clearly a problem only affecting some people, so it may be a bug I
> have already fixed.
>
> >Craig
> >
> >>On Tue, 27 May 2003, Craig Pratt wrote:
> >>>On Tuesday, May 27, 2003, at 02:02 PM, Raymond Dijkxhoorn wrote:
> >>>>Hi!
> >>>>
> >>>>>RavAV's been catching it w/o issue:
> >>>>>
> >>>>>The following e-mail messages were found to have dangerous content:
> >>>>>
> >>>>> Sender: support at microsoft.com
> >>>>>IP Address: 68.4.203.36
> >>>>> Recipient: [chomp]
> >>>>> Subject: Re: Movie
> >>>>> MessageID: h4MJ12gC000237
> >>>>> Report: ./h4MJ12gC000237/your_details.pif Infected:
> >>>>>Win32/Sobig.B at mm
> >>>>>Shortcuts to MS-Dos programs are very dangerous in email
> >>>>>(your_details.pif)
> >>>>
> >>>>Sorry, there are various versions of this virus floating around. RAV
> >>>>dont
> >>>>pick them up all. Really. We have a open case by RAV for this. I have
> >>>>seen f-prot picking up them all, McAfee and RAV did pass some
> >>>>variants.
> >>>>
> >>>>Bye,
> >>>>Raymond.
> >>>
> >>>Yikes - thanks for the heads-up! I'll keep an eye out for this.
> >>>
> >>>I hope/presume the filename rule still blocked them?
> >>>
> >>>Craig
> >>>
> >>>---
> >>>Craig Pratt
> >>>Strongbox Network Services Inc.
> >>>mailto:craig at strong-box.net
> >>>
> >>>
> >>>--
> >>>This message checked for dangerous content by MailScanner on
> >>>StrongBox.
> >
> >---
> >Craig Pratt
> >Strongbox Network Services Inc.
> >mailto:craig at strong-box.net
> >
> >
> >--
> >This message checked for dangerous content by MailScanner on StrongBox.
More information about the MailScanner
mailing list