Viruses Passing Through MailScanner/Sophos

Randal, Phil prandal at HEREFORDSHIRE.GOV.UK
Mon Aug 16 16:03:36 IST 2004

MailScanner mailing list wrote:
> Hello,
> I've seen this mentioned in previous posts, but I'm not sure
> if a "universal" fix is available.
> Environment: MailScanner-4.29.7,  Sophos-3.82, Sendmail-8.12.11
> Problem: MyDoom-O (and maybe other) viruses occasionally pass
> through MailScanner/Sophos undetected.
> Analysis: The infected messages that get past
> MailScanner/Sophos are "multi-bounces", i.e., our mail
> gateway (sendmail) rejects the message because of a forged "From"
> address. The "From" address is a valid mail address within
> our domain, but the message is being sent from outside our
> domain, which we don't accept.  Then sending MTA then sends a
> "delivery failure notification" to the forged, but valid, "From"
> address, which is a legal "To" address, hence the message is accepted
> and queued
> for inspection. The "delivery failure"  message is identified as:
> Content-Type: multipart/report; report-type=delivery-status;
>     boundary="i7AJOF0e032463.1092165855/"
> When MailScanner examines the message, it doesn't seem to recognize
> the attachment(s)
> and therefore does not separate them for virus scanning. If
> I manually separate the attachments using MIME::Base64 and
> then scan them using Sophos, the virus is correctly identified.
> For the most part MailScanner/Sophos correctly detects
> messages with infected attachments - even compressed
> attachments, but these "multi-bounces"
> seem to
> create some type of malformed MIME encoding that gets past
> MailScanner.
> Although this isn't a major problem at the moment, I would
> like to solve this.
> Does anyone know if there is a fix?
> Thanks.
> Joe

Does the problem still happen with the current version (4.32)?


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

More information about the MailScanner mailing list