Mydoom Virus getting Through

Kyle Harris lists at TRCINTL.COM
Wed Feb 11 18:32:10 GMT 2004

On Wed, 11 Feb 2004 16:27:38 +0000, Julian Field
<mailscanner at ECS.SOTON.AC.UK> wrote:

>I found at least 1 part of the problem.
>The message that contained the MyDoom that got through Sophos (before
>3.78d) was actually a bounce from another mail server that included the
>entire text of the original message.
>This message does not have the right MIME structure for the MIME-tools to
>be able to open it, as it is a text/plain messsage that just happens to
>contain text which contains a mime structure. So MIME-tools quite fairly
>won't extract the attachments from within it.
>I now have an example message of this type, and so I will spend some time
>working on a solution to it. No guarantees, though, the MIME-tools code is
>pretty heavy reading.
>So don't bother sending me any more, I think the one message I have is a
>good example of the type of problem. It can also occur with other viruses,
>it's a problem caused by MTA's bouncing the entire message. Fortunately
>it's not been a big problem so far, but I would quite like to fix it if I
>Julian Field
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

I think I just found another one and it appears to match your explanation
above.  It appears to be a bounce with the original message, at least that
is what I think it is.  Judging by the number of other people that have
replied to this post, seems like several others are expierencing this same
problem.  If it helps any, I have been thinking back and I updated my
MailScanner to 4.26.8 a week or so back and I don't recall having this
happen before that time.  Could be a coincidence or maybe my bad memory but
I thought I would throw that in.

Kyle H.

More information about the MailScanner mailing list