Sobig.F@mm.enc

Rose, Bobby brose at MED.WAYNE.EDU
Sun Sep 7 01:17:52 IST 2003 

I saw the thread and I think I see what folks were saying.  I think we
all thought people were saying they it was the pif guy coming thru bit
it's the mm.enc one.  

I'm running 4.23.11 on Solaris with both Sophos and ClamAV running and I
block  exe, pif, com, bat, scr, etc.  I don't have the actual message
since NortonAV for Exchange is catching it and stripping it out.  That's
why I started looking into it because I thought it odd that Norton was
blabbering about it since all external mail goes thru MailScanner before
getting to Exchange.  Sure enough it was external messages that Nav for
Exchange was picking up.  Our Exchange boxes are configured to only
accept mail from the mail gateway. So I did some further checking and
it's the .enc which is where it's encoded in the mime header.  I thought
that MS had been written in the early 4.xx version to blcok anything
encoded in the headers so I'm thing that maybe it's gbeen broken due to
all the new content checking options that's been added.

Now I don't know if it's the virus or the AV software that someone is
using but the message is from a postmaster at xxx.xxx.xx and is a rejection
message saying that the message you sent was infected.  So it's either a
virus generated message or a real bounce message where the original
message was sent back with the virus.  It don't know if there are AV
products out there that send the whole oringal message back if reject
which sounds kind of dumb.




-=B



-----Original Message-----
From: Kevin Spicer [mailto:kevins at BMRB.CO.UK] 
Sent: Saturday, September 06, 2003 7:17 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F at mm.enc


On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote:

>MailScanner doesn't seem to be catching this.  I thought Ms was written

>to cehck for the mime enclosed in header stuff.  Did this get broken 
>along the later versions.

This looks like it might be the same issue as yesterdays thread 'Missed
Virus?'. Could you give a few more details, like MailScanner version,
scanner name, format of the message that got through (was it an MTA
bounce message with a .txt attachment containing the original mail with
a virus?).  Source of the mail would be good if you have it (but please
snip out the encoded virus data from between the MIME section headers!!)






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the recipient and
may contain confidential and/or privileged material.  If you have
received this in error, please contact the sender and delete this
message immediately.  Disclosure, copying or other action taken in
respect of this email or in reliance on it is prohibited.  BMRB
International Limited accepts no liability in relation to any personal
emails, or content of any email which does not directly relate to our
business.

More information about the MailScanner mailing list