Fix -- Re: Mydoom Virus getting Through
Julian Field
mailscanner at ecs.soton.ac.uk
Thu Feb 12 08:35:08 GMT 2004
Please try this patch instead of the new Message.pm.
cd /usr/lib/MailScanner/MailScanner
cp Message.pm Message.pm.safe
patch -p0 < Message.pm.4.26.5.patch
service MailScanner restart
If it still fails, set "Debug = yes" in MailScanner.conf, then
service MailScanner stop
sleep 15
check_MailScanner
and let me know what it says.
At 23:38 11/02/2004, you wrote:
>Looking at the log, I see that MailScanner failed to start.
>Ken
>
>
>Ken Anderson wrote:
>
>>I tried installing this Message.pm and restarted MailScanner, but I
>>quickly built up a large incoming queue and all exploding in /incoming
>>stopped happening. The directory stayed empty after restarting
>>MailScanner. I'm not sure what caused it, but things went back to normal
>>after I put the old Message.pm back. I'm running 4.26.5, perhaps not a
>>recent enough version?
>>Thanks,
>>Ken A
>>Pacific.Net
>>
>>
>>Julian Field wrote:
>>
>>>I have hopefully managed to make the MIME parser a lot more robust. It
>>>certainly appears to solve the current problem. If you are running a nice
>>>recent version, backup your old Message.pm and replace it with this one.
>>>
>>>Then please test it against the copies of MyDoom that are getting
>>>through.
>>>
>>>The result of a fine evening spent wading through MIME-tools code and
>>>deciding that it can't rewind :-(
>>>
>>>Let me know how it goes.
>>>
>>>At 20:37 11/02/2004, you wrote:
>>>
>>>>Daniel Kleinsinger wrote:
>>>>
>>>>>Julian Field wrote:
>>>>>
>>>>>>The message that contained the MyDoom that got through Sophos (before
>>>>>>3.78d) was actually a bounce from another mail server that included
>>>>>>the
>>>>>>entire text of the original message.
>>>>>>
>>>>>>Fortunately it's not been a big problem so far, but I would quite
>>>>>>like to fix it if I can.
>>>>>>
>>>>>I'm running Sophos in addition to Trend and F-Prot. Using MailWatch I
>>>>>checked which virii got caught by which scanner and before installing
>>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>>>>MyDoom.A slipped past Sophos everyday). Since installing 3.78d
>>>>>(yesterday) Sophos is catching all that Trend and F-Prot are. There
>>>>>still seem to be some people having issues with 3.78d, but in my
>>>>>case it
>>>>>seems like it was a problem with Sophos, not MailScanner.
>>>>>
>>>>>Daniel
>>>>
>>>>
>>>>
>>>>I would suggest that this as much an antivirus issue. I run F-prot and
>>>>Antivir and until Antivir updated their engine about a week ago only
>>>>F-prot was reliably catching the bounce messages with the original
>>>>message attached. With the new engine, all is well again and both are
>>>>catching them. Looks like F-Prot had a better message scanning engine
>>>>than the others had at the time.
>>>>
>>>>Drew
>>>>
>>>>--
>>>>In line with our policy, this message has
>>>>been scanned for viruses and dangerous
>>>>content by MailScanner, and is believed to be clean.
>>>>www.themarshalls.co.uk/policy
>>>
>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>Professional Support Services at www.MailScanner.biz
>>>MailScanner thanks transtec Computers for their support
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Message.pm.4.26.5.patch
Type: application/octet-stream
Size: 10165 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/f720b5fd/Message.pm.4.26.5.obj
-------------- next part --------------
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
More information about the MailScanner
mailing list