Fix -- Re: Mydoom Virus getting Through

Julian Field mailscanner at ecs.soton.ac.uk
Thu Feb 12 12:35:27 GMT 2004 

At 12:05 12/02/2004, you wrote:
>Hi Julian,
>
>I'm running 4.25-14 and got the following output when applying the patch.
>Is there a patch for my version?  I'd prefer not to have to upgrade all of
>our boxes if I can - we have a reasonable number :)

Hunks 11, 12 and 13 aren't important. That was just a slight feature tweak
I did for someone.

However, I don't like the 107 line offsets, they look like patch didn't work.

I have attached a patch for 4.25-14 for you. It may require a new setting
or 2 in your MailScanner.conf to control any new features that are in this
file.


>23:02:47 - mx1.mailsecurity.net.au : root - MailScanner> patch -p0 <
>Message.pm.4.26.5.patch
>patching file Message.pm
>Hunk #1 succeeded at 736 (offset -107 lines).
>Hunk #3 succeeded at 770 (offset -107 lines).
>Hunk #4 succeeded at 1002 (offset -10 lines).
>Hunk #5 succeeded at 1134 (offset -107 lines).
>Hunk #6 succeeded at 1247 (offset -10 lines).
>Hunk #7 succeeded at 1161 (offset -107 lines).
>Hunk #8 succeeded at 2051 (offset -10 lines).
>Hunk #9 succeeded at 2121 (offset 33 lines).
>Hunk #10 succeeded at 2087 (offset -10 lines).
>Hunk #11 FAILED at 2194.
>Hunk #12 FAILED at 2222.
>Hunk #13 FAILED at 2231.
>3 out of 13 hunks FAILED -- saving rejects to file Message.pm.rej
>
>Regards,
>
>David Hooton
>Senior Partner
>Platform Hosting
>1300 85 HOST
>www.platformhosting.com
>
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > Behalf Of Julian Field
> > Sent: Thursday, 12 February 2004 7:35 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Fix -- Re: Mydoom Virus getting Through
> >
> > Please try this patch instead of the new Message.pm.
> >
> > cd /usr/lib/MailScanner/MailScanner
> > cp Message.pm Message.pm.safe
> > patch -p0 < Message.pm.4.26.5.patch
> > service MailScanner restart
> >
> > If it still fails, set "Debug = yes" in MailScanner.conf, then
> >
> > service MailScanner stop
> > sleep 15
> > check_MailScanner
> >
> > and let me know what it says.
> >
> > At 23:38 11/02/2004, you wrote:
> > >Looking at the log, I see that MailScanner failed to start.
> > >Ken
> > >
> > >
> > >Ken Anderson wrote:
> > >
> > >>I tried installing this Message.pm and restarted MailScanner, but I
> > >>quickly built up a large incoming queue and all exploding in /incoming
> > >>stopped happening. The directory stayed empty after restarting
> > >>MailScanner. I'm not sure what caused it, but things went back to normal
> > >>after I put the old Message.pm back. I'm running 4.26.5, perhaps not a
> > >>recent enough version?
> > >>Thanks,
> > >>Ken A
> > >>Pacific.Net
> > >>
> > >>
> > >>Julian Field wrote:
> > >>
> > >>>I have hopefully managed to make the MIME parser a lot more robust. It
> > >>>certainly appears to solve the current problem. If you are running a
> > nice
> > >>>recent version, backup your old Message.pm and replace it with this
> > one.
> > >>>
> > >>>Then please test it against the copies of MyDoom that are getting
> > >>>through.
> > >>>
> > >>>The result of a fine evening spent wading through MIME-tools code and
> > >>>deciding that it can't rewind :-(
> > >>>
> > >>>Let me know how it goes.
> > >>>
> > >>>At 20:37 11/02/2004, you wrote:
> > >>>
> > >>>>Daniel Kleinsinger wrote:
> > >>>>
> > >>>>>Julian Field wrote:
> > >>>>>
> > >>>>>>The message that contained the MyDoom that got through Sophos
> > (before
> > >>>>>>3.78d) was actually a bounce from another mail server that included
> > >>>>>>the
> > >>>>>>entire text of the original message.
> > >>>>>>
> > >>>>>>Fortunately it's not been a big problem so far, but I would quite
> > >>>>>>like to fix it if I can.
> > >>>>>>
> > >>>>>I'm running Sophos in addition to Trend and F-Prot.  Using MailWatch
> > I
> > >>>>>checked which virii got caught by which scanner and before installing
> > >>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
> > >>>>>MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
> > >>>>>(yesterday) Sophos is catching all that Trend and F-Prot are.  There
> > >>>>>still seem to be some people having issues with 3.78d, but in my
> > >>>>>case it
> > >>>>>seems like it was a problem with Sophos, not MailScanner.
> > >>>>>
> > >>>>>Daniel
> > >>>>
> > >>>>
> > >>>>
> > >>>>I would suggest that this as much an antivirus issue. I run F-prot and
> > >>>>Antivir and until Antivir updated their engine about a week ago only
> > >>>>F-prot was reliably catching the bounce messages with the original
> > >>>>message attached. With the new engine, all is well again and both are
> > >>>>catching them. Looks like F-Prot had a better message scanning engine
> > >>>>than the others had at the time.
> > >>>>
> > >>>>Drew
> > >>>>
> > >>>>--
> > >>>>In line with our policy, this message has
> > >>>>been scanned for viruses and dangerous
> > >>>>content by MailScanner, and is believed to be clean.
> > >>>>www.themarshalls.co.uk/policy
> > >>>
> > >>>
> > >>>--
> > >>>Julian Field
> > >>>www.MailScanner.info
> > >>>Professional Support Services at www.MailScanner.biz
> > >>>MailScanner thanks transtec Computers for their support
> > >>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >>
> > >>
> >
> > ========================================================================
> >  Pain free spam & virus protection by:          www.mailsecurity.net.au
> >  Forward undetected SPAM to:                   spam at mailsecurity.net.au
> > ========================================================================
>
>
>
>========================================================================
>  Pain free spam & virus protection by:          www.mailsecurity.net.au
>  Forward undetected SPAM to:                   spam at mailsecurity.net.au
>========================================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Message.pm.4.25-14.patch
Type: application/octet-stream
Size: 19976 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040212/709ab713/Message.pm.4.25-14.obj
-------------- next part --------------
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list