Fix -- Re: Mydoom Virus getting Through

Julian Field mailscanner at ecs.soton.ac.uk
Wed Feb 11 21:34:35 GMT 2004 

I have hopefully managed to make the MIME parser a lot more robust. It
certainly appears to solve the current problem. If you are running a nice
recent version, backup your old Message.pm and replace it with this one.

Then please test it against the copies of MyDoom that are getting through.

The result of a fine evening spent wading through MIME-tools code and
deciding that it can't rewind :-(

Let me know how it goes.

At 20:37 11/02/2004, you wrote:
>Daniel Kleinsinger wrote:
>
>>Julian Field wrote:
>>
>>>The message that contained the MyDoom that got through Sophos (before
>>>3.78d) was actually a bounce from another mail server that included the
>>>entire text of the original message.
>>>
>>>Fortunately it's not been a big problem so far, but I would quite
>>>like to fix it if I can.
>>>
>>>
>>I'm running Sophos in addition to Trend and F-Prot.  Using MailWatch I
>>checked which virii got caught by which scanner and before installing
>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>(yesterday) Sophos is catching all that Trend and F-Prot are.  There
>>still seem to be some people having issues with 3.78d, but in my case it
>>seems like it was a problem with Sophos, not MailScanner.
>>
>>Daniel
>
>I would suggest that this as much an antivirus issue. I run F-prot and
>Antivir and until Antivir updated their engine about a week ago only
>F-prot was reliably catching the bounce messages with the original
>message attached. With the new engine, all is well again and both are
>catching them. Looks like F-Prot had a better message scanning engine
>than the others had at the time.
>
>Drew
>
>--
>In line with our policy, this message has
>been scanned for viruses and dangerous
>content by MailScanner, and is believed to be clean.
>www.themarshalls.co.uk/policy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Message.pm
Type: application/octet-stream
Size: 122833 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040211/941d5ad7/Message.obj
-------------- next part --------------
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list