Viruses Passing Through MailScanner/Sophos
jwguderjohn at IEEE.ORG
Mon Aug 16 15:47:52 IST 2004
I've seen this mentioned in previous posts, but I'm not sure if a
Environment: MailScanner-4.29.7, Sophos-3.82, Sendmail-8.12.11
Problem: MyDoom-O (and maybe other) viruses occasionally pass through
Analysis: The infected messages that get past MailScanner/Sophos are
i.e., our mail gateway (sendmail) rejects the message because of a
address. The "From" address is a valid mail address within our domain,
but the message
is being sent from outside our domain, which we don't accept. Then
sending MTA then
sends a "delivery failure notification" to the forged, but valid, "From"
address, which is a
legal "To" address, hence the message is accepted and queued for
"delivery failure" message is identified as:
Content-Type: multipart/report; report-type=delivery-status;
When MailScanner examines the message, it doesn't seem to recognize the
and therefore does not separate them for virus scanning. If I manually
attachments using MIME::Base64 and then scan them using Sophos, the
virus is correctly
For the most part MailScanner/Sophos correctly detects messages with
attachments - even compressed attachments, but these "multi-bounces"
create some type of malformed MIME encoding that gets past MailScanner.
Although this isn't a major problem at the moment, I would like to solve
Does anyone know if there is a fix?
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner