Mydoom Virus getting Through

Kyle Harris lists at TRCINTL.COM
Wed Feb 11 16:08:54 GMT 2004

On Wed, 11 Feb 2004 10:50:31 -0500, Michael Dahlberg
<dahlberg at BUCKNELL.EDU> wrote:

>Kyle Harris [lists at TRCINTL.COM] wrote:
>> I have been running MailScanner for quite some time and it has
>> found literally thousands of e-mail's infected with the Mydoom virus, as
>> well as many others.  However, I have noticed that every now and then for
>> whatever reason one seems to slip through MailScanner.  The reason I know
>> this is that my mail is first scanned with MailScanner (using eTrust
>> Antivirus 7.0) and then it is sent on to another machine running
>> InterScan VirusWall (I had that in place before MailScanner).
>> On about 4 occasions since the outbreak of Mydoom, a copy of the virus
>> made it through MailScanner undetected and has then been caught by the
>> TrendMicro product.  I had it happen several times already today.  I
>> checked the e-mail ID and I see in the log on MailScanner where it passed
>> through without a hitch.
>> I seem to recall someone posting something earlier about this occuring
>> while using the Sophos antivirus product.  I just thought this might be
>> something to take note of.  By the way, I am currently using MailScanner
>> version 4.26.8 and my virus signatures are up to date.  TrendMicro
>> InterScan VirusWall reports the e-mail messages in question as having
>> Mydoom.A.
>Did you ever find a fix to this problem?
>We're experiencing a similar problem.  A number of messages are
>passing through MailScanner(4.13-3)/Sophos and then are interpreted as
>MyDoom-infected when they reach the client's MUA (Eudora) on a system
>which is running Symantec's Antivirus software.  If these messages are
>intercepted before being downloaded to the client's system, they look
>as if they might have something wrong with the MIME header because
>some MUAs will interpret the message as not having an attachment.
>Do you see something similar?

I experienced this at least 10 times yesterday (they seemed to come
relatively close together) and had expierenced it about 3 or 4 times in
days prior to that.  Julian asked if I could send one to him so I enabled
archiving and as luck would have it, I have not seen another one get
through since.  I had to disable archiving as I had too many mail messages
building up, but I am keeping a close eye for them and if I see one go
through I am planning on quickly enabling the archive option again to see
if maybe another will go through that I can catch and send to Julian.

It does sound like you are expierencing what I am though.

Kyle H.

More information about the MailScanner mailing list