Mydoom Virus getting Through

Julian Field mailscanner at ecs.soton.ac.uk
Wed Feb 11 16:27:38 GMT 2004


I found at least 1 part of the problem.

The message that contained the MyDoom that got through Sophos (before
3.78d) was actually a bounce from another mail server that included the
entire text of the original message.

This message does not have the right MIME structure for the MIME-tools to
be able to open it, as it is a text/plain messsage that just happens to
contain text which contains a mime structure. So MIME-tools quite fairly
won't extract the attachments from within it.

I now have an example message of this type, and so I will spend some time
working on a solution to it. No guarantees, though, the MIME-tools code is
pretty heavy reading.

So don't bother sending me any more, I think the one message I have is a
good example of the type of problem. It can also occur with other viruses,
it's a problem caused by MTA's bouncing the entire message. Fortunately
it's not been a big problem so far, but I would quite like to fix it if I can.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list