Viruses Passing Through MailScanner/Sophos

Joe Guderjohn jwguderjohn at IEEE.ORG
Mon Aug 16 15:47:52 IST 2004


I've seen this mentioned in previous posts, but I'm not sure if a
"universal" fix
is available.

Environment: MailScanner-4.29.7,  Sophos-3.82, Sendmail-8.12.11

Problem: MyDoom-O (and maybe other) viruses occasionally pass through
MailScanner/Sophos undetected.

Analysis: The infected messages that get past MailScanner/Sophos are
i.e., our mail gateway (sendmail) rejects the message because of a
forged "From"
address. The "From" address is a valid mail address within our domain,
but the message
is being sent from outside our domain, which we don't accept.  Then
sending MTA then
sends a "delivery failure notification" to the forged, but valid, "From"
address, which is a
legal "To" address, hence the message is accepted and queued for
inspection. The
"delivery failure"  message is identified as:

Content-Type: multipart/report; report-type=delivery-status;

When MailScanner examines the message, it doesn't seem to recognize the
and therefore does not separate them for virus scanning. If  I manually
separate the
attachments using MIME::Base64 and then scan them using Sophos, the
virus is correctly

For the most part MailScanner/Sophos correctly detects messages with
attachments - even compressed attachments, but these "multi-bounces"
seem to
create some type of malformed MIME encoding that gets past MailScanner.

Although this isn't a major problem at the moment, I would like to solve

Does anyone know if there is a fix?


Joe Guderjohn

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

More information about the MailScanner mailing list