Sobig.F@mm.enc

Gerry Doris gerry at dorfam.ca
Mon Sep 8 18:42:13 IST 2003


> Julian Field wrote:
>>
>> I can explain what is happening with all of these cases. A dumb MTA is
>> rejecting the message, and including the entire content text of the
>> rejected message in the rejection notice, rather than just the headers
>> or
>> the first few lines (which is what sensible ones do). As the MIME
>> structure
>> of the rejected message is completely broken by it being included very
>> simply in the rejection notice, your email app can't actually decode the
>> attachment anyway. So it's actually quite safe. But some AV products
>> generate a false alarm on it, Norton in particular.
>
> If anybody is interested, I have captured a qf/df pair that makes it
> through MailScanner/Sophos email scanning and Lotus Notes/Symantec
> (Norton) email scanning, yet is triggered by Symantec (Norton) on the
> desktop.
>
> http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip
>
> Dustin
>

Do you know if there is a real virus in the email or is it a damaged virus
that is harmless per Julian's note?

Gerry



More information about the MailScanner mailing list