Sobig.F@mm.enc

[Kevin Spicer]

On Sun, 2003-09-07 at 01:47, Rose, Bobby wrote:

>Hah  I  think I found something to work with.  I use DCC milter and
>recently started using the greylisting function so I checked it's logs
>and one of the messages that made it thru Mailscanner.  It's not the
>complete message but does contain the header makeup.

Thats really useful, I looks like the headers generated by the MTA (in
this case an iMail server - might have guessed it was a windaz boz ;) )
indicate that the message has a mime type of text/plain, however the
'text' message is actually a mime message of type message/rfc822 [I
think...], which in turn is a multipart/mixed message.  So the fault
lies with iMail for giving the message the wrong mime type (which is
incorrect) and sending the virus back (which is stupid).  That doesn't
help us though!  Because MailScanner takes the text/plain at face value
it doesn't recurse into the message looking for problems as it does with
correctly formatted messages. Some of the virus scanners do recognise it
as a message and do handle it correctly.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.