Fix -- Re: Mydoom Virus getting Through

Ken Anderson ka at PACIFIC.NET
Thu Feb 12 18:49:21 GMT 2004


patched and restarted with no problems.
Thanks,
Ken A.
Pacific.Net


Julian Field wrote:

> Please try this patch instead of the new Message.pm.
>
> cd /usr/lib/MailScanner/MailScanner
> cp Message.pm Message.pm.safe
> patch -p0 < Message.pm.4.26.5.patch
> service MailScanner restart
>
> If it still fails, set "Debug = yes" in MailScanner.conf, then
>
> service MailScanner stop
> sleep 15
> check_MailScanner
>
> and let me know what it says.
>
> At 23:38 11/02/2004, you wrote:
>
>> Looking at the log, I see that MailScanner failed to start.
>> Ken
>>
>>
>> Ken Anderson wrote:
>>
>>> I tried installing this Message.pm and restarted MailScanner, but I
>>> quickly built up a large incoming queue and all exploding in /incoming
>>> stopped happening. The directory stayed empty after restarting
>>> MailScanner. I'm not sure what caused it, but things went back to normal
>>> after I put the old Message.pm back. I'm running 4.26.5, perhaps not a
>>> recent enough version?
>>> Thanks,
>>> Ken A
>>> Pacific.Net
>>>
>>>
>>> Julian Field wrote:
>>>
>>>> I have hopefully managed to make the MIME parser a lot more robust. It
>>>> certainly appears to solve the current problem. If you are running a
>>>> nice
>>>> recent version, backup your old Message.pm and replace it with this
>>>> one.
>>>>
>>>> Then please test it against the copies of MyDoom that are getting
>>>> through.
>>>>
>>>> The result of a fine evening spent wading through MIME-tools code and
>>>> deciding that it can't rewind :-(
>>>>
>>>> Let me know how it goes.
>>>>
>>>> At 20:37 11/02/2004, you wrote:
>>>>
>>>>> Daniel Kleinsinger wrote:
>>>>>
>>>>>> Julian Field wrote:
>>>>>>
>>>>>>> The message that contained the MyDoom that got through Sophos
>>>>>>> (before
>>>>>>> 3.78d) was actually a bounce from another mail server that included
>>>>>>> the
>>>>>>> entire text of the original message.
>>>>>>>
>>>>>>> Fortunately it's not been a big problem so far, but I would quite
>>>>>>> like to fix it if I can.
>>>>>>>
>>>>>> I'm running Sophos in addition to Trend and F-Prot.  Using
>>>>>> MailWatch I
>>>>>> checked which virii got caught by which scanner and before installing
>>>>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>>>>> MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>>>>> (yesterday) Sophos is catching all that Trend and F-Prot are.  There
>>>>>> still seem to be some people having issues with 3.78d, but in my
>>>>>> case it
>>>>>> seems like it was a problem with Sophos, not MailScanner.
>>>>>>
>>>>>> Daniel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I would suggest that this as much an antivirus issue. I run F-prot and
>>>>> Antivir and until Antivir updated their engine about a week ago only
>>>>> F-prot was reliably catching the bounce messages with the original
>>>>> message attached. With the new engine, all is well again and both are
>>>>> catching them. Looks like F-Prot had a better message scanning engine
>>>>> than the others had at the time.
>>>>>
>>>>> Drew
>>>>>
>>>>> --
>>>>> In line with our policy, this message has
>>>>> been scanned for viruses and dangerous
>>>>> content by MailScanner, and is believed to be clean.
>>>>> www.themarshalls.co.uk/policy
>>>>
>>>>
>>>>
>>>> --
>>>> Julian Field
>>>> www.MailScanner.info
>>>> Professional Support Services at www.MailScanner.biz
>>>> MailScanner thanks transtec Computers for their support
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>
>>>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list