MailScanner issue not detecting MyDoom-0 [Re: nested .zip containing bad files not being caught]

Stijn Jonker SJCJonker at SJC.NL
Tue Jul 27 04:30:22 IST 2004


Hello Stephen & Julian,

Stephen Swaney said the following on 27-Jul-04 4:24:

> I've loaded the new Message.pm on all of our test systems and can't see any
> adverse consequences. It's late here and I'm a bit to tired to test against
> some of the files that have been slipping thru. Perchance someone in a
> different time zone can check that out :>)

I just woke up, and loaded the new Message.pm, although at this system
the traffic is low, it looks like it's catching the evil files slipping
through earlier. I'll keep an eye on it today.

>
> Julian,
>
> Thanks (as usual) for an incredibly speedy fix and have a great time in
> Portland OR - wherever that is!

Julian, I couldn't agree more, even when you are in the mid-west, or
west from the middle or ... etc your patches are faster then for almost
any open or closed source product.

>
>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>>Behalf Of Julian Field
>>Sent: Monday, July 26, 2004 8:20 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: MailScanner issue not detecting MyDoom-0 [Re: nested .zip
>>containing bad files not being caught]
>>
>>The problem isn't quite as you have been describing it, but it causes the
>>symptom you are seeing.
>>Attached is a new Message.pm. Sorry I haven't got a patch but this is at
>>short notice and I can't get my VPN connection to stay up for more than 2
>>minutes at a time through this hotel's network.

Sorry for the wrong analysis, again thanks for the update!

>>
>>At 22:06 26/07/2004, you wrote:
>>
>>>Drew,
>>>
>>>Drew Marshall said the following on 26-Jul-04 22:42:
>>>
>>>>Stijn Jonker wrote:
>>>>
>>>>
>>>>>The longer explanation is below, but as far as I can tell the reason
>>
>>for
>>
>>>>>non detection is that the zip file inside the original zip file has the
>>>>>same name. I think the explanation is below, and it is pointing towards
>>>>>mailscanner.
>>>>
>>>>Interestingly I can't get anything to detect a problem with these two
>>>>files either zipped or not. Very strange as they must be viruses but
>>>>neither f-prot or clam want to find anything wrong... I have the latest
>>>>definitions
>>>
>>>Could you check the files within: http://www.sjc.nl/MS/ for me?
>>>
>>>These are the two that are causing me issues?
>>>
>>>Maybe it's not the same as Bob is seeing.
>>>

--
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker at sjc.nl>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list