Sobig.F@mm.enc

Dustin Baer dustin.baer at IHS.COM
Mon Sep 8 18:25:28 IST 2003


Julian Field wrote:
>
> I can explain what is happening with all of these cases. A dumb MTA is
> rejecting the message, and including the entire content text of the
> rejected message in the rejection notice, rather than just the headers or
> the first few lines (which is what sensible ones do). As the MIME structure
> of the rejected message is completely broken by it being included very
> simply in the rejection notice, your email app can't actually decode the
> attachment anyway. So it's actually quite safe. But some AV products
> generate a false alarm on it, Norton in particular.

If anybody is interested, I have captured a qf/df pair that makes it
through MailScanner/Sophos email scanning and Lotus Notes/Symantec
(Norton) email scanning, yet is triggered by Symantec (Norton) on the
desktop.

http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip

Dustin



More information about the MailScanner mailing list