Fix -- Re: Mydoom Virus getting Through

Julian Field mailscanner at ecs.soton.ac.uk
Thu Feb 12 21:37:47 GMT 2004 

That's right. I have just published 4.27.3 including this fix.

I assume you mean it is unpacking the .txt files in the
/var/spool/MailScanner/incoming/process-id/message-id directory. That is
where it should be unpacking them, that's what the code says and that's
where mine is unpacking them. They should just be added to the attachments
already unpacked.

Thanks for letting me know so quickly.

At 21:19 12/02/2004, you wrote:
>Was I supposed to patch the patched version or the original 4.26.5
>Version of Message.pm?
>
>Well I patched the patched version and it is working now, only expanding
>a few .txt files now and then in the incoming dir.
>
>mailfilter# patch -p0 < Message.pm.4.26.5.patch
>patching file Message.pm
>mailfilter# patch -p0 < Message.pm.4.26.5.2nd.patch
>patching file Message.pm
>Hunk #1 succeeded at 1020 with fuzz 1 (offset -5 lines).
>Hunk #2 succeeded at 1061 with fuzz 2.
>
>Thanks,
>Ken A
>Pacific.Net
>
>
>Julian Field wrote:
>
>>Okay, I can guess exactly why that happened.
>>
>>Please apply this little patch to your Message.pm and get straight back to
>>me to let me know if it worked.
>>
>>-----SNIP-----
>>--- Message.pm.old 2004-02-11 21:31:07.000000000 +0000
>>+++ Message.pm  2004-02-12 20:44:16.000000000 +0000
>>@@ -1025,12 +1025,15 @@
>>  sub ExplodePart {
>>    my($this, $explodeinto) = @_;
>>
>>-  my($dir, $part);
>>+  my($dir, $part, @parts);
>>
>>    $dir = new DirHandle;
>>
>>    $dir->open($explodeinto);
>>-  while($part = $dir->read) {
>>+  @parts = $dir->read();
>>+  $dir->close();
>>+
>>+  foreach $part (@parts) {
>>      #print STDERR "Reading $part\n";
>>      next unless $part =~ /^msg.*txt/;
>>
>>@@ -1058,7 +1061,6 @@
>>
>>      unless ($foundheader) {
>>        $file->close();
>>-      $dir->close();
>>        return;
>>      }
>>
>>-----SNIP-----
>>
>>At 20:27 12/02/2004, you wrote:
>>
>>>oops, spoke too soon.  It's still broken.
>>>
>>>It runs for a minute then stops writing to the log silently. The
>>>processes are still busy exploding thousands of identical copies of
>>>*.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250
>>>directories.
>>>The messages are:
>>>msg-12397-2166.txt
>>>msg-12397-2167.txt
>>>msg-12397-2168.txt
>>>msg-12397-2169.txt
>>>etc...
>>>
>>>ls | wc
>>>    3213    3213   61044
>>>
>>>diff msg-12397-2166.txt msg-12397-2167.txt
>>>
>>>No diff.
>>>Hope this helps,
>>>
>>>Ken A.
>>>Pacific.Net
>>>
>>>
>>>
>>>Ken Anderson wrote:
>>>
>>>>patched and restarted with no problems.
>>>>Thanks,
>>>>Ken A.
>>>>Pacific.Net
>>>>
>>>>
>>>>Julian Field wrote:
>>>>
>>>>>Please try this patch instead of the new Message.pm.
>>>>>
>>>>>cd /usr/lib/MailScanner/MailScanner
>>>>>cp Message.pm Message.pm.safe
>>>>>patch -p0 < Message.pm.4.26.5.patch
>>>>>service MailScanner restart
>>>>>
>>>>>If it still fails, set "Debug = yes" in MailScanner.conf, then
>>>>>
>>>>>service MailScanner stop
>>>>>sleep 15
>>>>>check_MailScanner
>>>>>
>>>>>and let me know what it says.
>>>>>
>>>>>At 23:38 11/02/2004, you wrote:
>>>>>
>>>>>>Looking at the log, I see that MailScanner failed to start.
>>>>>>Ken
>>>>>>
>>>>>>
>>>>>>Ken Anderson wrote:
>>>>>>
>>>>>>>I tried installing this Message.pm and restarted MailScanner, but I
>>>>>>>quickly built up a large incoming queue and all exploding in
>>>>>>>/incoming
>>>>>>>stopped happening. The directory stayed empty after restarting
>>>>>>>MailScanner. I'm not sure what caused it, but things went back to
>>>>>>>normal
>>>>>>>after I put the old Message.pm back. I'm running 4.26.5, perhaps
>>>>>>>not a
>>>>>>>recent enough version?
>>>>>>>Thanks,
>>>>>>>Ken A
>>>>>>>Pacific.Net
>>>>>>>
>>>>>>>
>>>>>>>Julian Field wrote:
>>>>>>>
>>>>>>>>I have hopefully managed to make the MIME parser a lot more
>>>>>>>>robust. It
>>>>>>>>certainly appears to solve the current problem. If you are running a
>>>>>>>>nice
>>>>>>>>recent version, backup your old Message.pm and replace it with this
>>>>>>>>one.
>>>>>>>>
>>>>>>>>Then please test it against the copies of MyDoom that are getting
>>>>>>>>through.
>>>>>>>>
>>>>>>>>The result of a fine evening spent wading through MIME-tools code
>>>>>>>>and
>>>>>>>>deciding that it can't rewind :-(
>>>>>>>>
>>>>>>>>Let me know how it goes.
>>>>>>>>
>>>>>>>>At 20:37 11/02/2004, you wrote:
>>>>>>>>
>>>>>>>>>Daniel Kleinsinger wrote:
>>>>>>>>>
>>>>>>>>>>Julian Field wrote:
>>>>>>>>>>
>>>>>>>>>>>The message that contained the MyDoom that got through Sophos
>>>>>>>>>>>(before
>>>>>>>>>>>3.78d) was actually a bounce from another mail server that
>>>>>>>>>>>included
>>>>>>>>>>>the
>>>>>>>>>>>entire text of the original message.
>>>>>>>>>>>
>>>>>>>>>>>Fortunately it's not been a big problem so far, but I would quite
>>>>>>>>>>>like to fix it if I can.
>>>>>>>>>>
>>>>>>>>>>I'm running Sophos in addition to Trend and F-Prot.  Using
>>>>>>>>>>MailWatch I
>>>>>>>>>>checked which virii got caught by which scanner and before
>>>>>>>>>>installing
>>>>>>>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500
>>>>>>>>>>total
>>>>>>>>>>MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>>>>>>>>>(yesterday) Sophos is catching all that Trend and F-Prot are.
>>>>>>>>>>There
>>>>>>>>>>still seem to be some people having issues with 3.78d, but in my
>>>>>>>>>>case it
>>>>>>>>>>seems like it was a problem with Sophos, not MailScanner.
>>>>>>>>>>
>>>>>>>>>>Daniel
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>I would suggest that this as much an antivirus issue. I run F-prot
>>>>>>>>>and
>>>>>>>>>Antivir and until Antivir updated their engine about a week ago
>>>>>>>>>only
>>>>>>>>>F-prot was reliably catching the bounce messages with the original
>>>>>>>>>message attached. With the new engine, all is well again and
>>>>>>>>>both are
>>>>>>>>>catching them. Looks like F-Prot had a better message scanning
>>>>>>>>>engine
>>>>>>>>>than the others had at the time.
>>>>>>>>>
>>>>>>>>>Drew
>>>>>>>>>
>>>>>>>>>--
>>>>>>>>>In line with our policy, this message has
>>>>>>>>>been scanned for viruses and dangerous
>>>>>>>>>content by MailScanner, and is believed to be clean.
>>>>>>>>>www.themarshalls.co.uk/policy
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>--
>>>>>>>>Julian Field
>>>>>>>>www.MailScanner.info
>>>>>>>>Professional Support Services at www.MailScanner.biz
>>>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>--
>>>>>Julian Field
>>>>>www.MailScanner.info
>>>>>MailScanner thanks transtec Computers for their support
>>>>>
>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>>
>>
>>--
>>Julian Field
>>www.MailScanner.info
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list