Sobig.F@mm.enc
Dustin Baer
dustin.baer at IHS.COM
Mon Sep 8 18:50:09 IST 2003
Gerry Doris wrote:
>
> > Julian Field wrote:
> >>
> >> I can explain what is happening with all of these cases. A dumb MTA is
> >> rejecting the message, and including the entire content text of the
> >> rejected message in the rejection notice, rather than just the headers
> >> or
> >> the first few lines (which is what sensible ones do). As the MIME
> >> structure
> >> of the rejected message is completely broken by it being included very
> >> simply in the rejection notice, your email app can't actually decode the
> >> attachment anyway. So it's actually quite safe. But some AV products
> >> generate a false alarm on it, Norton in particular.
> >
> > If anybody is interested, I have captured a qf/df pair that makes it
> > through MailScanner/Sophos email scanning and Lotus Notes/Symantec
> > (Norton) email scanning, yet is triggered by Symantec (Norton) on the
> > desktop.
> >
> > http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip
> >
> > Dustin
> >
>
> Do you know if there is a real virus in the email or is it a damaged virus
> that is harmless per Julian's note?
>
> Gerry
Well, it acts exactly like Julian discusses above, i.e. passes through
mail scanning software, but is caught by Norton on the desktop.
Then again, I suppose a smart person could extract it, decode it and it
would be the actual SoBig virus.
Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836
More information about the MailScanner
mailing list