Mydoom Virus getting Through
mailscanner at ecs.soton.ac.uk
Wed Feb 11 16:27:38 GMT 2004
I found at least 1 part of the problem.
The message that contained the MyDoom that got through Sophos (before
3.78d) was actually a bounce from another mail server that included the
entire text of the original message.
This message does not have the right MIME structure for the MIME-tools to
be able to open it, as it is a text/plain messsage that just happens to
contain text which contains a mime structure. So MIME-tools quite fairly
won't extract the attachments from within it.
I now have an example message of this type, and so I will spend some time
working on a solution to it. No guarantees, though, the MIME-tools code is
pretty heavy reading.
So don't bother sending me any more, I think the one message I have is a
good example of the type of problem. It can also occur with other viruses,
it's a problem caused by MTA's bouncing the entire message. Fortunately
it's not been a big problem so far, but I would quite like to fix it if I can.
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
More information about the MailScanner