tons of infected files getting though???
Kevin.Spicer at BMRB.CO.UK
Wed Jan 28 13:49:26 GMT 2004
Martin Hepworth wrote:
> Randal, Phil wrote:
>> There's a whole thread on the ClamAV users mailing list about this -
>> they appear to be bounces.
> Also sophos seems to be missing them, and yes I have seen bounces that
> are the ones missed..
Hmmm, I was just about to post and say that I've not seen any Sophos and Clam both find the same!
I've also not seen any on our network with the payload (and we've had over 3000 blocked so I would expect that if they were getting through elsewhere they would be getting through here), which gets me to thinking....
You said it was not just zips? So...
Are the attachments on the ones not detected by Clam, but detected by McAffee being picked up by mailscanners filename rules?
I'm going to guess they are not. Now if these are all bounces that would explain why my users aren't seeing the payload. All my users use Outlook and Outlook supresses all but the first part of the Delivery Status Notification. The only hole in my thoery is that Symantec on Exchange isn't finding any of these (but maybe this has the same problem).
So, I think that this is some particular MTA software that returns the message with the bounce, with something strange going on in the mime sections or encoding. Perhaps someone who can identify these could post the source of the message (with the virus payload data removed). Is there a common MTA sending these (that is the remote MTA)?
+44 (0)20 8566 5000
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
More information about the MailScanner