Viruses Passing Through MailScanner/Sophos
Randal, Phil
prandal at HEREFORDSHIRE.GOV.UK
Mon Aug 16 16:03:36 IST 2004
MailScanner mailing list wrote:
> Hello,
>
> I've seen this mentioned in previous posts, but I'm not sure
> if a "universal" fix is available.
>
> Environment: MailScanner-4.29.7, Sophos-3.82, Sendmail-8.12.11
>
> Problem: MyDoom-O (and maybe other) viruses occasionally pass
> through MailScanner/Sophos undetected.
>
> Analysis: The infected messages that get past
> MailScanner/Sophos are "multi-bounces", i.e., our mail
> gateway (sendmail) rejects the message because of a forged "From"
> address. The "From" address is a valid mail address within
> our domain, but the message is being sent from outside our
> domain, which we don't accept. Then sending MTA then sends a
> "delivery failure notification" to the forged, but valid, "From"
> address, which is a legal "To" address, hence the message is accepted
> and queued
> for inspection. The "delivery failure" message is identified as:
>
> Content-Type: multipart/report; report-type=delivery-status;
> boundary="i7AJOF0e032463.1092165855/hp01.vak12ed.edu"
>
> When MailScanner examines the message, it doesn't seem to recognize
> the attachment(s)
> and therefore does not separate them for virus scanning. If
> I manually separate the attachments using MIME::Base64 and
> then scan them using Sophos, the virus is correctly identified.
>
> For the most part MailScanner/Sophos correctly detects
> messages with infected attachments - even compressed
> attachments, but these "multi-bounces"
> seem to
> create some type of malformed MIME encoding that gets past
> MailScanner.
>
> Although this isn't a major problem at the moment, I would
> like to solve this.
>
> Does anyone know if there is a fix?
>
> Thanks.
>
> Joe
Does the problem still happen with the current version (4.32)?
Cheers,
Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list