Fix -- Re: Mydoom Virus getting Through

Ken Anderson ka at PACIFIC.NET
Wed Feb 11 23:15:36 GMT 2004


I tried installing this Message.pm and restarted MailScanner, but I
quickly built up a large incoming queue and all exploding in /incoming
stopped happening. The directory stayed empty after restarting
MailScanner. I'm not sure what caused it, but things went back to normal
after I put the old Message.pm back. I'm running 4.26.5, perhaps not a
recent enough version?
Thanks,
Ken A
Pacific.Net


Julian Field wrote:

> I have hopefully managed to make the MIME parser a lot more robust. It
> certainly appears to solve the current problem. If you are running a nice
> recent version, backup your old Message.pm and replace it with this one.
>
> Then please test it against the copies of MyDoom that are getting through.
>
> The result of a fine evening spent wading through MIME-tools code and
> deciding that it can't rewind :-(
>
> Let me know how it goes.
>
> At 20:37 11/02/2004, you wrote:
>
>> Daniel Kleinsinger wrote:
>>
>>> Julian Field wrote:
>>>
>>>> The message that contained the MyDoom that got through Sophos (before
>>>> 3.78d) was actually a bounce from another mail server that included the
>>>> entire text of the original message.
>>>>
>>>> Fortunately it's not been a big problem so far, but I would quite
>>>> like to fix it if I can.
>>>>
>>>>
>>> I'm running Sophos in addition to Trend and F-Prot.  Using MailWatch I
>>> checked which virii got caught by which scanner and before installing
>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>> MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>> (yesterday) Sophos is catching all that Trend and F-Prot are.  There
>>> still seem to be some people having issues with 3.78d, but in my case it
>>> seems like it was a problem with Sophos, not MailScanner.
>>>
>>> Daniel
>>
>>
>> I would suggest that this as much an antivirus issue. I run F-prot and
>> Antivir and until Antivir updated their engine about a week ago only
>> F-prot was reliably catching the bounce messages with the original
>> message attached. With the new engine, all is well again and both are
>> catching them. Looks like F-Prot had a better message scanning engine
>> than the others had at the time.
>>
>> Drew
>>
>> --
>> In line with our policy, this message has
>> been scanned for viruses and dangerous
>> content by MailScanner, and is believed to be clean.
>> www.themarshalls.co.uk/policy
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list