Viruses Passing Through MailScanner/Sophos

Julian Field mailscanner at ecs.soton.ac.uk
Mon Aug 16 17:08:05 IST 2004 

<x-flowed>
At 17:00 16/08/2004, you wrote:
>Julian Field wrote:
>
>>At 15:47 16/08/2004, you wrote:
>>
>>>Hello,
>>>
>>>I've seen this mentioned in previous posts, but I'm not sure if a
>>>"universal" fix
>>>is available.
>>>
>>>Environment: MailScanner-4.29.7,  Sophos-3.82, Sendmail-8.12.11
>>>
>>>Problem: MyDoom-O (and maybe other) viruses occasionally pass through
>>>MailScanner/Sophos undetected.
>>>
>>>Analysis: The infected messages that get past MailScanner/Sophos are
>>>"multi-bounces",
>>
>>
>>Can you send me the URL of a copy of one of these messages please.
>>The last one I saw had corrupted headers, which stopped MailScanner
>>finding
>>the message buried in the body text. It does try to find all these
>>"included" messages, but is apparently missing this one for some reason.
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Julian,
>
>Thanks for the prompt (as usual) response.
>
>Can I email you the message instead of supplying a URL?

Well, yes, but what happens if my MailScanner catches it? I automatically
bin virus warnings, so it could be a bit hard to track down your message.

>I can't (don't know how) to produce a password protected zip file
>on the Linux box where I have the message file, and I can't move
>it to my Windows desktop because NAV immediately quarantines
>it.

And I reject password-protected zip files anyway.

>I can gzip it and uuencode it - I think that will pass through most
>virus scanners, or I can send you the message with the virus
>'snipped' out. Will either of these work for you.

uuencoding won't help, and gzip will get undone by Clam at least. Try
replacing the actual virus data with some other harmless text.
And as soon as you have sent it to me, send me another message telling me
you just sent it, so I know to go and hunt for it :-)
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list