Sophos missed MyDoom-A bounced msg

Travis Taylor 20020401 at DUH.NET
Mon Feb 9 16:44:58 GMT 2004 

We are trying to figure out how an email slipped past MailScanner with
Sophos.  Symantec quarantined the message on the server when the user
checked her mail this morning.

The message was a bounce from a site that does not permit executables.

Here is the message recovered from the quarantine server:

Received: from emailscanner.newton.k12.ks.us not authenticated
[192.168.254.10]
        by newton.k12.ks.us with NetMail SMTP Agent $Revision:
3.22.1.3  $ on Novell NetWare;
        Fri, 06 Feb 2004 08:36:46 -0600
Received: from mx07.futurequest.net (mx07.futurequest.net [69.5.6.178])
        by emailscanner.newton.k12.ks.us (8.12.8/8.12.8) with SMTP id
i16EaM6L008388
        for <khays at newton.k12.ks.us>; Fri, 6 Feb 2004 08:36:22 -0600
X-Envelope-To: <khays at newton.k12.ks.us>
Message-Id: <200402061436.i16EaM6L008388 at emailscanner.newton.k12.ks.us>
Received: (qmail 15257 invoked for bounce); 6 Feb 2004 14:27:02 -0000
Date: 6 Feb 2004 14:27:02 -0000
From: MAILER-DAEMON at mx07.futurequest.net
To: khays at newton.k12.ks.us
Subject: failure notice
X-USD373-MailScanner-Information: Mail scanned using
http://mailscanner.info
X-USD373-MailScanner: Found to be clean
X-USD373-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.903,
        required 5, LARGE_HEX 1.59, MSGID_FROM_MTA_HEADER 0.76,
        NO_REAL_NAME 0.28, UPPERCASE_25_50 0.26)
X-USD373-MailScanner-SpamScore: ss

Hi. This is the qmail-send program at mx07.futurequest.net.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<ugaw at myparentime.com>:
No executable files accepted.
Message rejected 1076077622 pid 2773

--- Below this line is a copy of the message.

Return-Path: <khays at newton.k12.ks.us>
Received: (qmail 32431 invoked from network); 6 Feb 2004 13:43:40 -0000
Received: from newton.k12.ks.us (hillsboro-bm.teen.k12.ks.us
[65.241.105.189])
  by mx07.futurequest.net ([69.5.6.178])
  with ESMTP via TCP; 06 Feb 2004 13:43:40 -0000
From: khays at newton.k12.ks.us
To: ugaw at myparentime.com
Subject: Status
Date: Fri, 6 Feb 2004 07:43:35 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0004_9E42CB75.1E93C406"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0004_9E42CB75.1E93C406
Content-Type: text/plain;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit

[snip]

------=_NextPart_000_0004_9E42CB75.1E93C406
Content-Type: application/octet-stream;
        name="readme.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="readme.scr"

[snip]

------=_NextPart_000_0004_9E42CB75.1E93C406--


So far MailScanner has caught 1817 MyDoom-A virus, with the exception of
27 MyDoom infected messages that slipped through during the window
when the virus was released in the wild and before Sophos updated the
definitions, MailScanner and Sophos has caught everyone since until now.
Anyone got some ideas on what to check or how to verify this got
through?

Is this something we need to sent to Sophos?

Using RH 9, MailScanner v4.23-11, and Sophos v3.75

---
Travis Taylor, EMail Administrator
Newton Unified School District #373
Educational Technology Center
116 West 7th
Newton, KS 67114
316-284-6251

More information about the MailScanner mailing list