Viruses Passing Through MailScanner/Sophos

Joe Guderjohn jwguderjohn at IEEE.ORG
Mon Aug 16 19:02:17 IST 2004 

<x-flowed>
Julian Field wrote:

> At 17:00 16/08/2004, you wrote:
>
>> Julian Field wrote:
>>
>>> At 15:47 16/08/2004, you wrote:
>>>
>>>> Hello,
>>>>
>>>> I've seen this mentioned in previous posts, but I'm not sure if a
>>>> "universal" fix
>>>> is available.
>>>>
>>>> Environment: MailScanner-4.29.7,  Sophos-3.82, Sendmail-8.12.11
>>>>
>>>> Problem: MyDoom-O (and maybe other) viruses occasionally pass through
>>>> MailScanner/Sophos undetected.
>>>>
>>>> Analysis: The infected messages that get past MailScanner/Sophos are
>>>> "multi-bounces",
>>>
>>>
>>>
>>> Can you send me the URL of a copy of one of these messages please.
>>> The last one I saw had corrupted headers, which stopped MailScanner
>>> finding
>>> the message buried in the body text. It does try to find all these
>>> "included" messages, but is apparently missing this one for some
>>> reason.
>>> --
>>> Julian Field
>>> www.MailScanner.info
>>> MailScanner thanks transtec Computers for their support
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>
>> Julian,
>>
>> Thanks for the prompt (as usual) response.
>>
>> Can I email you the message instead of supplying a URL?
>
>
> Well, yes, but what happens if my MailScanner catches it? I automatically
> bin virus warnings, so it could be a bit hard to track down your message.
>
>> I can't (don't know how) to produce a password protected zip file
>> on the Linux box where I have the message file, and I can't move
>> it to my Windows desktop because NAV immediately quarantines
>> it.
>
>
> And I reject password-protected zip files anyway.
>
>> I can gzip it and uuencode it - I think that will pass through most
>> virus scanners, or I can send you the message with the virus
>> 'snipped' out. Will either of these work for you.
>
>
> uuencoding won't help, and gzip will get undone by Clam at least. Try
> replacing the actual virus data with some other harmless text.
> And as soon as you have sent it to me, send me another message telling me
> you just sent it, so I know to go and hunt for it :-)
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Julian,

Below is an example of the messages that "get through".

###########################################################################

Return-path: <>
Received: from hp01.vak12ed.edu [141.104.150.251]
    by mail.vak12ed.edu; Thu, 12 Aug 2004 08:53:26 -0400
Received: from pen3.pen.k12.va.us (pen3.pen.k12.va.us [141.104.22.206])
    by hp01.vak12ed.edu (8.12.11/8.11.6) with ESMTP id i7CCrIoG002081
    for <postmaster at mail.vak12ed.edu>; Thu, 12 Aug 2004 08:53:26 -0400
Received: from forward1.ss.herndon.psi.net (forward1.ss.herndon.psi.net
[38.200.3.125])
    by pen3.pen.k12.va.us (8.12.11/8.12.11) with ESMTP id i7CCpSCG008758
    for <postmaster at mail.vak12ed.edu>; Thu, 12 Aug 2004 08:51:28 -0400
Received: by forward1.ss.herndon.psi.net (Postfix)
    id D5CB8C924; Thu, 12 Aug 2004 08:49:23 -0400 (EDT)
Date: Thu, 12 Aug 2004 08:49:23 -0400 (EDT)
From: MAILER-DAEMON at forward1.ss.herndon.psi.net (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: postmaster at mail.vak12ed.edu
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="955BBCACB.1092314963/forward1.ss.herndon.psi.net"
Message-Id: <20040812124923.D5CB8C924 at forward1.ss.herndon.psi.net>
X-VDOE-MailScanner-Information: Please contact VDOE for details
X-VDOE-MailScanner: Found to be clean

This is a MIME-encapsulated message.

--955BBCACB.1092314963/forward1.ss.herndon.psi.net
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host forward1.ss.herndon.psi.net.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

            The Postfix program

<aprince at mail.vak12ed.edu>: host pen3.pen.k12.va.us[141.104.22.206]
said: 571
    5.0.0 Forged address 08-11-2004,,,wce (in reply to MAIL FROM command)

--955BBCACB.1092314963/forward1.ss.herndon.psi.net
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; forward1.ss.herndon.psi.net
Arrival-Date: Thu, 12 Aug 2004 08:48:15 -0400 (EDT)

Final-Recipient: rfc822; aprince at mail.vak12ed.edu
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host pen3.pen.k12.va.us[141.104.22.206]
said: 571
    5.0.0 Forged address 08-11-2004,,,wce (in reply to MAIL FROM command)

--955BBCACB.1092314963/forward1.ss.herndon.psi.net
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from spool1.ss.herndon.psi.net
(spool1-eth1.backend.ss.herndon.psi.net [10.100.1.100])
    by forward1.ss.herndon.psi.net (Postfix) with ESMTP id 955BBCACB
    for <aprince at mail.vak12ed.edu>; Thu, 12 Aug 2004 08:48:15 -0400 (EDT)
Received: from dpvc-68-163-71-216.res.east.verizon.net ([68.163.71.216]
helo=mail.vak12ed.edu)
    by spool1.ss.herndon.psi.net with esmtp (Exim 3.36 #1)
    id 1BvFAW-00067o-00
    for aprince at mail.vak12ed.edu; Thu, 12 Aug 2004 08:58:56 -0400
From: "Returned mail" <postmaster at mail.vak12ed.edu>
To: aprince at mail.vak12ed.edu
Subject: Aprince at mail.vak12ed.edu
Date: Thu, 12 Aug 2004 08:49:59 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0003_2463007D.E4BA8970"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <E1BvFAW-00067o-00 at spool1.ss.herndon.psi.net>

This is a multi-part message in MIME format.

------=_NextPart_000_0003_2463007D.E4BA8970
Content-Type: text/plain;
    charset=us-ascii
Content-Transfer-Encoding: 7bit

<<< Some endcoded info >>>

------=_NextPart_000_0003_2463007D.E4BA8970
Content-Type: application/octet-stream;
    name="message.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
    filename="message.zip"

<<< Zipped Virus >>>


------=_NextPart_000_0003_2463007D.E4BA8970--



--955BBCACB.1092314963/forward1.ss.herndon.psi.net--

############################################################################

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list