Sobig.F@mm.enc

Rose, Bobby brose at MED.WAYNE.EDU
Sun Sep 7 01:47:54 IST 2003 

Hah  I  think I found something to work with.  I use DCC milter and
recently started using the greylisting function so I checked it's logs
and one of the messages that made it thru Mailscanner.  It's not the
complete message but does contain the header makeup.

-=B




-----Original Message-----
From: Remco Barendse [mailto:mailscanner at BARENDSE.TO] 
Sent: Saturday, September 06, 2003 7:41 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F at mm.enc


Do you still have a df/qf pair of the virus mail? Would like to study
it. Bouncing it will not be much use as most MUAs tend to fix certain
stuff.

On Sat, 6 Sep 2003, Rose, Bobby wrote:

> MailScanner doesn't seem to be catching this.  I thought Ms was 
> written to cehck for the mime enclosed in header stuff.  Did this get 
> broken along the later versions.
>
> -=Bobby
>
-------------- next part --------------
VERSION: 3
DATE: 09/06/03 18:41:06 EDT
IP: mail.straight-away.com ::ffff:12.96.54.33
HELO: straight-away.com
env_From: <>  mail_host=
env_To: <tcrossle at med.wayne.edu>  addr=tcrossle at exchange.med.wayne.edu  dir=userdirs/relay/tcrossle at exchange.med.wayne.edu

Date:     Sat,  6 Sep 2003 19:58:15 -0400
Message-Id: <10309061958.AA74726420 at straight-away.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From:     "Postmaster" <postmaster at straight-away.com>
Sender:   <postmaster at straight-away.com>
To:       <tcrossle at med.wayne.edu>
Subject:  Undeliverable Mail
X-Mailer: <SMTP32 v8.00>

Requested action not taken: virus detected

Original message follows.

Received: from TAIMUR-YRXU8L7C [68.41.139.205] by straight-away.com
  (SMTPD32-8.00) id A48B47900EA; Sat, 06 Sep 2003 19:58:03 -0400
From: <tcrossle at med.wayne.edu>
To: <lenders at straight-away.com>
Subject: Re: Wicked screensaver
Date: Sat, 6 Sep 2003 18:43:01 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="_NextPart_000_000A06F8"
Message-Id: <20030906195862.SM01312 at TAIMUR-YRXU8L7C>

This is a multipart message in MIME format

--_NextPart_000_000A06F8
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_000A06F8
Content-Type: application/octet-stream;
        name="wicked_scr.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="wicked_scr.scr"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
[message truncated]

### end of message body ########################

X-DCC-MessageCare-Metrics: eeyore 1108; Body=1 Fuz1=1 Fuz2=1
                                                      checksum  server      
                       IP: c662cec7 0d155b95 bce5bb9d ff58c603              
                 env_From: d41d8cd9 8f00b204 e9800998 ecf8427e              
                     From: 342e96a8 d0fd1448 210eb78e be98cab9              
     substitute mail_host: 617d4dcd 2d889dc3 be693d50 abc8d8bc              
               Message-ID: 8dd46981 5ced570e 505354e0 5d3b0130              
                     Body: 10f0b989 22c6bfa4 15799515 a6b73d06       0      
                     Fuz1: 35cfefec f12cc999 7914fa41 c0d8d574       0      
                     Fuz2: 969aa337 96782573 213678b0 57166e33       0      

                recipient
 <tcrossle at med.wayne.edu>: 25705ccc 2d472d5b b9c76cbf de557a76 First Embargo

rejection message: 451 4.7.1 mail h86Mf65a022618 from ::ffff:12.96.54.33 embargoed by DCC
result: reject

More information about the MailScanner mailing list