Fix -- Re: Mydoom Virus getting Through

Julian Field mailscanner at
Thu Feb 12 20:46:41 GMT 2004

Okay, I can guess exactly why that happened.

Please apply this little patch to your and get straight back to
me to let me know if it worked.

--- 2004-02-11 21:31:07.000000000 +0000
+++  2004-02-12 20:44:16.000000000 +0000
@@ -1025,12 +1025,15 @@
  sub ExplodePart {
    my($this, $explodeinto) = @_;

-  my($dir, $part);
+  my($dir, $part, @parts);

    $dir = new DirHandle;

-  while($part = $dir->read) {
+  @parts = $dir->read();
+  $dir->close();
+  foreach $part (@parts) {
      #print STDERR "Reading $part\n";
      next unless $part =~ /^msg.*txt/;

@@ -1058,7 +1061,6 @@

      unless ($foundheader) {
-      $dir->close();


At 20:27 12/02/2004, you wrote:
>oops, spoke too soon.  It's still broken.
>It runs for a minute then stops writing to the log silently. The
>processes are still busy exploding thousands of identical copies of
>*.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250
>The messages are:
>ls | wc
>    3213    3213   61044
>diff msg-12397-2166.txt msg-12397-2167.txt
>No diff.
>Hope this helps,
>Ken A.
>Ken Anderson wrote:
>>patched and restarted with no problems.
>>Ken A.
>>Julian Field wrote:
>>>Please try this patch instead of the new
>>>cd /usr/lib/MailScanner/MailScanner
>>>patch -p0 <
>>>service MailScanner restart
>>>If it still fails, set "Debug = yes" in MailScanner.conf, then
>>>service MailScanner stop
>>>sleep 15
>>>and let me know what it says.
>>>At 23:38 11/02/2004, you wrote:
>>>>Looking at the log, I see that MailScanner failed to start.
>>>>Ken Anderson wrote:
>>>>>I tried installing this and restarted MailScanner, but I
>>>>>quickly built up a large incoming queue and all exploding in /incoming
>>>>>stopped happening. The directory stayed empty after restarting
>>>>>MailScanner. I'm not sure what caused it, but things went back to
>>>>>after I put the old back. I'm running 4.26.5, perhaps not a
>>>>>recent enough version?
>>>>>Ken A
>>>>>Julian Field wrote:
>>>>>>I have hopefully managed to make the MIME parser a lot more robust. It
>>>>>>certainly appears to solve the current problem. If you are running a
>>>>>>recent version, backup your old and replace it with this
>>>>>>Then please test it against the copies of MyDoom that are getting
>>>>>>The result of a fine evening spent wading through MIME-tools code and
>>>>>>deciding that it can't rewind :-(
>>>>>>Let me know how it goes.
>>>>>>At 20:37 11/02/2004, you wrote:
>>>>>>>Daniel Kleinsinger wrote:
>>>>>>>>Julian Field wrote:
>>>>>>>>>The message that contained the MyDoom that got through Sophos
>>>>>>>>>3.78d) was actually a bounce from another mail server that included
>>>>>>>>>entire text of the original message.
>>>>>>>>>Fortunately it's not been a big problem so far, but I would quite
>>>>>>>>>like to fix it if I can.
>>>>>>>>I'm running Sophos in addition to Trend and F-Prot.  Using
>>>>>>>>MailWatch I
>>>>>>>>checked which virii got caught by which scanner and before
>>>>>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>>>>>>>MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>>>>>>>(yesterday) Sophos is catching all that Trend and F-Prot are.  There
>>>>>>>>still seem to be some people having issues with 3.78d, but in my
>>>>>>>>case it
>>>>>>>>seems like it was a problem with Sophos, not MailScanner.
>>>>>>>I would suggest that this as much an antivirus issue. I run F-prot
>>>>>>>Antivir and until Antivir updated their engine about a week ago only
>>>>>>>F-prot was reliably catching the bounce messages with the original
>>>>>>>message attached. With the new engine, all is well again and both are
>>>>>>>catching them. Looks like F-Prot had a better message scanning engine
>>>>>>>than the others had at the time.
>>>>>>>In line with our policy, this message has
>>>>>>>been scanned for viruses and dangerous
>>>>>>>content by MailScanner, and is believed to be clean.
>>>>>>Julian Field
>>>>>>Professional Support Services at
>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>Julian Field
>>>MailScanner thanks transtec Computers for their support
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

Julian Field
Professional Support Services at
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list