tons of infected files getting though???

Randal, Phil prandal at HEREFORDSHIRE.GOV.UK
Wed Jan 28 14:02:27 GMT 2004

>From the ClamAv list:

"These bounces contain the 
full virus in the form of the complete source of the original email dumped
the end of the bounce message. Although I'm sure the MIME is no longer set
right so it may be harmles, Norton seems to catch these while ClamAV does 
not. I'm running a CVS snapshot of ClamAV from yesterday (the 26th) and run 
Freshclam every hour. It seems to be catching other forms of the SCO virus, 
just not these bounces." - Matthew Trent


"It's not only problem with ClamAV mime unpacker - even ripmime is
unable to extract attachment in the body of bounce message.
For example I run ripmime (v1.3.0.6 - 14/01/2004) on bounce message,
it extracted it's body as textfile0, when i run ripmime on textfile0
it extracted textfile0_1, when run on textfile0_1 it extracted
textfile0_2, when run on textfile0_2 it extracted textfile0_3,
textfile1, textfile2, and textfile3." - Virgo Pärna


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Spicer, Kevin
> Sent: 28 January 2004 13:49
> Subject: Re: tons of infected files getting though???
> Martin Hepworth wrote:
> > Randal, Phil wrote:
> >> There's a whole thread on the ClamAV users mailing list 
> about this -
> >> they appear to be bounces. 
> > 
> > Also sophos seems to be missing them, and yes I have seen 
> bounces that
> > are the ones missed..
> Hmmm, I was just about to post and say that I've not seen any 
> Sophos and Clam both find the same!
> I've also not seen any on our network with the payload (and 
> we've had over 3000 blocked so I would expect that if they 
> were getting through elsewhere they would be getting through 
> here), which gets me to thinking....
> You said it was not just zips?  So...
> Are the attachments on the ones not detected by Clam, but 
> detected by McAffee being picked up by mailscanners filename rules?
> I'm going to guess they are not.  Now if these are all 
> bounces that would explain why my users aren't seeing the 
> payload.  All my users use Outlook and Outlook supresses all 
> but the first part of the Delivery Status Notification.  The 
> only hole in my thoery is that Symantec on Exchange isn't 
> finding any of these (but maybe this has the same problem).
> So, I think that this is some particular MTA software that 
> returns the message with the bounce, with something strange 
> going on in the mime sections or encoding.  Perhaps someone 
> who can identify these could post the source of the message 
> (with the virus payload data removed).   Is there a common 
> MTA sending these (that is the remote MTA)?
> BMRB International 
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the 
> recipient and may contain confidential and/or privileged 
> material.  If you have received this in error, please contact the 
> sender and delete this message immediately.  Disclosure, copying 
> or other action taken in respect of this email or in 
> reliance on it is prohibited.  BMRB International Limited 
> accepts no liability in relation to any personal emails, or 
> content of any email which does not directly relate to our 
> business.

More information about the MailScanner mailing list