Sobig.F@mm.enc

Steve Ellis ellis at KAZAKCOMPOSITES.COM
Mon Sep 8 15:40:38 IST 2003 

The attached file is an example (with virus removed) of the virus
containing bounces I've been getting. The bounce is due to "no such
user", not as a result of infection. As best I can tell, the payload is
successfully decoded. MailScanner 4.22-5 with Command anti-virus did not
catch this.

Is this something MS should catch?

Steve Ellis
Sr Engineer
KaZaK Composites, Inc.
781.932.5667 x105


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Sunday, September 07, 2003 2:52 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F at mm.enc

I can explain what is happening with all of these cases. A dumb MTA is
rejecting the message, and including the entire content text of the
rejected message in the rejection notice, rather than just the headers
or
the first few lines (which is what sensible ones do). As the MIME
structure
of the rejected message is completely broken by it being included very
simply in the rejection notice, your email app can't actually decode the
attachment anyway. So it's actually quite safe. But some AV products
generate a false alarm on it, Norton in particular.

At 01:17 07/09/2003, you wrote:
>Now I don't know if it's the virus or the AV software that someone is
>using but the message is from a postmaster at xxx.xxx.xx and is a
rejection
>message saying that the message you sent was infected.  So it's either
a
>virus generated message or a real bounce message where the original
>message was sent back with the virus.  It don't know if there are AV
>products out there that send the whole oringal message back if reject
>which sounds kind of dumb.
>
>-----Original Message-----
>From: Kevin Spicer [mailto:kevins at BMRB.CO.UK]
>Sent: Saturday, September 06, 2003 7:17 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Sobig.F at mm.enc
>
>
>On Sun, 2003-09-07 at 00:03, Rose, Bobby wrote:
>
> >MailScanner doesn't seem to be catching this.  I thought Ms was
written
>
> >to cehck for the mime enclosed in header stuff.  Did this get broken
> >along the later versions.
>
>This looks like it might be the same issue as yesterdays thread 'Missed
>Virus?'. Could you give a few more details, like MailScanner version,
>scanner name, format of the message that got through (was it an MTA
>bounce message with a .txt attachment containing the original mail with
>a virus?).  Source of the mail would be good if you have it (but please
>snip out the encoded virus data from between the MIME section
headers!!)

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mking.sav
Type: application/octet-stream
Size: 3697 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030908/d29ae470/mking.obj

More information about the MailScanner mailing list