Viruses Passing Through MailScanner/Sophos
Joe Guderjohn
jwguderjohn at IEEE.ORG
Mon Aug 16 19:03:29 IST 2004
<x-flowed>
Julian Field wrote:
> At 17:00 16/08/2004, you wrote:
>
>> Julian Field wrote:
>>
>>> At 15:47 16/08/2004, you wrote:
>>>
>>>> Hello,
>>>>
>>>> I've seen this mentioned in previous posts, but I'm not sure if a
>>>> "universal" fix
>>>> is available.
>>>>
>>>> Environment: MailScanner-4.29.7, Sophos-3.82, Sendmail-8.12.11
>>>>
>>>> Problem: MyDoom-O (and maybe other) viruses occasionally pass through
>>>> MailScanner/Sophos undetected.
>>>>
>>>> Analysis: The infected messages that get past MailScanner/Sophos are
>>>> "multi-bounces",
>>>
>>>
>>>
>>> Can you send me the URL of a copy of one of these messages please.
>>> The last one I saw had corrupted headers, which stopped MailScanner
>>> finding
>>> the message buried in the body text. It does try to find all these
>>> "included" messages, but is apparently missing this one for some
>>> reason.
>>> --
>>> Julian Field
>>> www.MailScanner.info
>>> MailScanner thanks transtec Computers for their support
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>
>> Julian,
>>
>> Thanks for the prompt (as usual) response.
>>
>> Can I email you the message instead of supplying a URL?
>
>
> Well, yes, but what happens if my MailScanner catches it? I automatically
> bin virus warnings, so it could be a bit hard to track down your message.
>
>> I can't (don't know how) to produce a password protected zip file
>> on the Linux box where I have the message file, and I can't move
>> it to my Windows desktop because NAV immediately quarantines
>> it.
>
>
> And I reject password-protected zip files anyway.
>
>> I can gzip it and uuencode it - I think that will pass through most
>> virus scanners, or I can send you the message with the virus
>> 'snipped' out. Will either of these work for you.
>
>
> uuencoding won't help, and gzip will get undone by Clam at least. Try
> replacing the actual virus data with some other harmless text.
> And as soon as you have sent it to me, send me another message telling me
> you just sent it, so I know to go and hunt for it :-)
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Julian,
I just sent you an example of a message that passed through MailScanner.
Thanks for your time and attention.
Regards,
Joe
--
Joe Guderjohn
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>
More information about the MailScanner
mailing list