virus from 'support@microsoft.com' not blocked?

Julian Field mailscanner at ecs.soton.ac.uk
Wed May 28 16:00:31 IST 2003


At 12:54 28/05/2003, you wrote:
>On Wednesday 28 May 2003 09:42, you wrote:
> > At 08:34 28/05/2003, you wrote:
> > >On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> > >>No, it didn't. This is why I sent a the mail to the list. The fact that
> > >>mcafee didn't spot it was due to my own mistake I didn't check whether
> > >>the
> > >>dat files were updated.
> > >>
> > >>But.... MailScanner did not block the .pif from that particular virus.
> > >>It
> > >>does block a random text file which is renamed to whatever.pif but this
> > >>virus was passed without filtering.
> > >>
> > >>Maybe the virus is generation some sort of invalid mail format which
> > >>causes MailScanner not to recognize the attachment or the attacjhment
> > >>filename?
> > >
> > >Like I mentioned in a previous message, it is possible to name a file
> > >in a way where MS will not match a filename rule it would otherwise
> > >match - presuming it hasn't been remedied.
> > >
> > >Please send the original message - stuffed in an attachment or quoted -
> > >so I can determine if there is a known virus using weird file name
> > >attribution.
> >
> > <aol>Me too!</aol>
> > Please tell me what version of MailScanner is not detecting the filename
> > correctly, and also send me the original message in a zip file, so I can
> > get all the raw headers out of it and see what its MIME structure looks
> > like.
>
>Unfortunatly I haven't any message that may help becouse the users
>deleted it.
>THe version of MailScanner not detecting I run is mailscanner-4.12-2.

You may well have had this problem with 4.13, I didn't *think* it was
present in 4.12, but that probably just means no-one reported it in 4.12,
whereas someone did notice it in 4.13.

> > This is clearly a problem only affecting some people, so it may be a bug I
> > have already fixed.
> >
> > >Craig
> > >
> > >>On Tue, 27 May 2003, Craig Pratt wrote:
> > >>>On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> > >>>>Hi!
> > >>>>
> > >>>>>RavAV's been catching it w/o issue:
> > >>>>>
> > >>>>>The following e-mail messages were found to have dangerous content:
> > >>>>>
> > >>>>>      Sender: support at microsoft.com
> > >>>>>IP Address: 68.4.203.36
> > >>>>>   Recipient: [chomp]
> > >>>>>     Subject: Re: Movie
> > >>>>>   MessageID: h4MJ12gC000237
> > >>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> > >>>>>Win32/Sobig.B at mm
> > >>>>>Shortcuts to MS-Dos programs are very dangerous in email
> > >>>>>(your_details.pif)
> > >>>>
> > >>>>Sorry, there are various versions of this virus floating around. RAV
> > >>>>dont
> > >>>>pick them up all. Really. We have a open case by RAV for this. I have
> > >>>>seen f-prot picking up them all, McAfee and RAV did pass some
> > >>>>variants.
> > >>>>
> > >>>>Bye,
> > >>>>Raymond.
> > >>>
> > >>>Yikes - thanks for the heads-up! I'll keep an eye out for this.
> > >>>
> > >>>I hope/presume the filename rule still blocked them?
> > >>>
> > >>>Craig
> > >>>
> > >>>---
> > >>>Craig Pratt
> > >>>Strongbox Network Services Inc.
> > >>>mailto:craig at strong-box.net
> > >>>
> > >>>
> > >>>--
> > >>>This message checked for dangerous content by MailScanner on
> > >>>StrongBox.
> > >
> > >---
> > >Craig Pratt
> > >Strongbox Network Services Inc.
> > >mailto:craig at strong-box.net
> > >
> > >
> > >--
> > >This message checked for dangerous content by MailScanner on StrongBox.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list