tons of infected files getting though???
Chris Yuzik
chris at FRACTALWEB.COM
Wed Jan 28 22:33:08 GMT 2004
Robert Richard Wallace wrote:
>This problem I believe relates to the fact that MailScanner uses MIME-tools
>to break up mails into attachments before scanning. I did some testing on 2
>samples I have of the virus one was caught and the other not.
>
>The one not caught is a bounce message and it seems to have a MIME type that
>fails to be detected by MIME-tools and therefore the attachment is not
>scanned. I can provide samples if anyone wants to investigate this further.
>I tried with the latest experimental perl modules and still it failed.
>
>I used a util called juju and it managed to correctly decode all attachments
>to both mails. So I am wondering if it might be a good idea to add some sort
>of double checking on MIME decodes with another util or library. Anyone care
>to comment on this ?
>
>
Hi Richard,
This is pretty much the conclusion I came to as well. Some infected
messages are caught while others aren't. Same with ClamAV...it can catch
some but not others.
There's definitely a problem with the mime encoding of some of these
messages though. If you have one where the virus was not detected, then
send it to yourself, it arrives fine. Forward it back to yourself and
MailScanner (and ClamAV) will detect it. My guess is that the message
gets re-assembled properly along the way, and then MailScanner works.
So, the question is: is our problem with some of these emails related to
MailScanner or ClamAV or ???
I'm not familiar with "juju". Is this something that can be accessed
from Perl?
Cheers,
Chris
More information about the MailScanner
mailing list