Viruses Passing Through MailScanner/Sophos

Mon Aug 16 15:47:52 IST 2004

<x-flowed>
Hello,

I've seen this mentioned in previous posts, but I'm not sure if a
"universal" fix
is available.

Environment: MailScanner-4.29.7,  Sophos-3.82, Sendmail-8.12.11

Problem: MyDoom-O (and maybe other) viruses occasionally pass through
MailScanner/Sophos undetected.

Analysis: The infected messages that get past MailScanner/Sophos are
"multi-bounces",
i.e., our mail gateway (sendmail) rejects the message because of a
forged "From"
address. The "From" address is a valid mail address within our domain,
but the message
is being sent from outside our domain, which we don't accept.  Then
sending MTA then
sends a "delivery failure notification" to the forged, but valid, "From"
address, which is a
legal "To" address, hence the message is accepted and queued for
inspection. The
"delivery failure"  message is identified as:

Content-Type: multipart/report; report-type=delivery-status;
    boundary="i7AJOF0e032463.1092165855/hp01.vak12ed.edu"

When MailScanner examines the message, it doesn't seem to recognize the
attachment(s)
and therefore does not separate them for virus scanning. If  I manually
separate the
attachments using MIME::Base64 and then scan them using Sophos, the
virus is correctly
identified.

For the most part MailScanner/Sophos correctly detects messages with
infected
attachments - even compressed attachments, but these "multi-bounces"
seem to
create some type of malformed MIME encoding that gets past MailScanner.

Although this isn't a major problem at the moment, I would like to solve
this.

Does anyone know if there is a fix?

Thanks.

Joe
--
Joe Guderjohn

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>