Fix -- Re: Mydoom Virus getting Through

Wed Feb 11 23:38:05 GMT 2004

Looking at the log, I see that MailScanner failed to start.
Ken

Ken Anderson wrote:

> I tried installing this Message.pm and restarted MailScanner, but I
> quickly built up a large incoming queue and all exploding in /incoming
> stopped happening. The directory stayed empty after restarting
> MailScanner. I'm not sure what caused it, but things went back to normal
> after I put the old Message.pm back. I'm running 4.26.5, perhaps not a
> recent enough version?
> Thanks,
> Ken A
> Pacific.Net
>
>
> Julian Field wrote:
>
>> I have hopefully managed to make the MIME parser a lot more robust. It
>> certainly appears to solve the current problem. If you are running a nice
>> recent version, backup your old Message.pm and replace it with this one.
>>
>> Then please test it against the copies of MyDoom that are getting
>> through.
>>
>> The result of a fine evening spent wading through MIME-tools code and
>> deciding that it can't rewind :-(
>>
>> Let me know how it goes.
>>
>> At 20:37 11/02/2004, you wrote:
>>
>>> Daniel Kleinsinger wrote:
>>>
>>>> Julian Field wrote:
>>>>
>>>>> The message that contained the MyDoom that got through Sophos (before
>>>>> 3.78d) was actually a bounce from another mail server that included
>>>>> the
>>>>> entire text of the original message.
>>>>>
>>>>> Fortunately it's not been a big problem so far, but I would quite
>>>>> like to fix it if I can.
>>>>>
>>>>>
>>>> I'm running Sophos in addition to Trend and F-Prot.  Using MailWatch I
>>>> checked which virii got caught by which scanner and before installing
>>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>>> MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>>> (yesterday) Sophos is catching all that Trend and F-Prot are.  There
>>>> still seem to be some people having issues with 3.78d, but in my
>>>> case it
>>>> seems like it was a problem with Sophos, not MailScanner.
>>>>
>>>> Daniel
>>>
>>>
>>>
>>> I would suggest that this as much an antivirus issue. I run F-prot and
>>> Antivir and until Antivir updated their engine about a week ago only
>>> F-prot was reliably catching the bounce messages with the original
>>> message attached. With the new engine, all is well again and both are
>>> catching them. Looks like F-Prot had a better message scanning engine
>>> than the others had at the time.
>>>
>>> Drew
>>>
>>> --
>>> In line with our policy, this message has
>>> been scanned for viruses and dangerous
>>> content by MailScanner, and is believed to be clean.
>>> www.themarshalls.co.uk/policy
>>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> Professional Support Services at www.MailScanner.biz
>> MailScanner thanks transtec Computers for their support
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>