sober.g slipping through?

Ken Anderson (Pacific Internet) ka at PACIFIC.NET
Thu May 20 00:02:02 IST 2004 

This is probably a false alarm.
Interestingly, the '> ' in front of every line in the attachment keeps
my PC's Norton AV from detecting this too. This is probably the way this
message gets through.

Opening the file in a text editor and replacing all '> ' with '' makes
the virus detectable by Norton 2003. Another PC here detected the same
message immediately without any find/replace - but that PC is using
Norton 2004.

I'm hoping that OE doesn't 'fix' the attachment by removing the '> ' so
that the virus works correctly. It wouldn't suprise me.

Ken



Ken Anderson (Pacific Internet) wrote:
> Seeing some fake returned mail including sober.g getting through.
> sober.g is being caught in most cases though, so I don't think it's a
> virus scanner problem. We are running MailScanner-4.29.7-1
>
> Here's what the messages look like. Note this isn't the whole message,
> just the text at the top and the start of the attachment.
>
> Any ideas?
>
> Thanks,
> Ken
> Pacific.Net
>
>
> --- snip ---
>
>
> ==== AUTOMATED RESPONSE ===
>
> Hello,
>
> You have replied to an automated notification from Friendster.
>
> If you really meant to send email to Friendster, please choose the
> appropriate address from the Contact Friendster page:
>
> http://www.friendster.com/info/contacts.jsp
>
>  > Errors:
>  >
>  > 226.19.6.208_failed_after_I_sent_the_message.
>  > % 475: MAILBOX NOT FOUND
>  > % 353: Giving_up_on_226.19.6.208.
>  > % 369: Remote_host_said:_delivery_error
>  >
>  > End
>  > -----
>  >
>  > The full mail is attached.
>  >
>  > Auto-ReMail.System#: [pacific]
>  > --=====ea8f04121b9.5ab35f7
>  > Content-Type: application/octet-stream; name=EM.pacific9898.DOC.zip
>  > Content-Transfer-Encoding: base64
>  > Content-Disposition: attachment; filename="EM.pacific9898.DOC.zip"
>  >
>  >
> UEsDBAoAAAAAAAFYrjDx1V7D/cEAAP3BAAAfAAAAcC16aXBwZWRfZmlsZV9kYXRhICAgICAgICAg
>
>  >
>
>
> --- snip ---
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list