Sophos missed MyDoom-A bounced msg

Travis Taylor 20020401 at DUH.NET
Mon Feb 9 16:44:58 GMT 2004

We are trying to figure out how an email slipped past MailScanner with
Sophos.  Symantec quarantined the message on the server when the user
checked her mail this morning.

The message was a bounce from a site that does not permit executables.

Here is the message recovered from the quarantine server:

Received: from not authenticated
        by with NetMail SMTP Agent $Revision:  $ on Novell NetWare;
        Fri, 06 Feb 2004 08:36:46 -0600
Received: from ( [])
        by (8.12.8/8.12.8) with SMTP id
        for <khays at>; Fri, 6 Feb 2004 08:36:22 -0600
X-Envelope-To: <khays at>
Message-Id: <200402061436.i16EaM6L008388 at>
Received: (qmail 15257 invoked for bounce); 6 Feb 2004 14:27:02 -0000
Date: 6 Feb 2004 14:27:02 -0000
To: khays at
Subject: failure notice
X-USD373-MailScanner-Information: Mail scanned using
X-USD373-MailScanner: Found to be clean
X-USD373-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.903,
        required 5, LARGE_HEX 1.59, MSGID_FROM_MTA_HEADER 0.76,
        NO_REAL_NAME 0.28, UPPERCASE_25_50 0.26)
X-USD373-MailScanner-SpamScore: ss

Hi. This is the qmail-send program at
I'm afraid I wasn't able to deliver your message to the following
This is a permanent error; I've given up. Sorry it didn't work out.

<ugaw at>:
No executable files accepted.
Message rejected 1076077622 pid 2773

--- Below this line is a copy of the message.

Return-Path: <khays at>
Received: (qmail 32431 invoked from network); 6 Feb 2004 13:43:40 -0000
Received: from (
  by ([])
  with ESMTP via TCP; 06 Feb 2004 13:43:40 -0000
From: khays at
To: ugaw at
Subject: Status
Date: Fri, 6 Feb 2004 07:43:35 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit


Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;



So far MailScanner has caught 1817 MyDoom-A virus, with the exception of
27 MyDoom infected messages that slipped through during the window
when the virus was released in the wild and before Sophos updated the
definitions, MailScanner and Sophos has caught everyone since until now.
Anyone got some ideas on what to check or how to verify this got

Is this something we need to sent to Sophos?

Using RH 9, MailScanner v4.23-11, and Sophos v3.75

Travis Taylor, EMail Administrator
Newton Unified School District #373
Educational Technology Center
116 West 7th
Newton, KS 67114

More information about the MailScanner mailing list