[Mimedefang] Virus getting by MD

Ole Craig olc at cs.umass.edu
Wed Aug 27 11:18:01 EDT 2003 

On 08/27/03 at 10:40, 'twas brillig and Stefano McGhee scrobe:

> Hello All,
> 	I have been noticing curious behavior by my MD box over the past
> couple days.  It is blocking many instances of SoBig.f and Bugbear (yeah,
> it's still out there) quite adeptly over the past few days.  My MD box acts
> as a mail gateway to my network with an Exchange server providing mailboxes
> for my users.  The box only processes incoming mail.
> 	Over the past few days, the Exchange server has been notifying me
> of viruses that it has been catching.  This is weird, because the MD box,
> running uvscan, usually catches everything.  Checking the logs shows that
> MD and uvscan is still catching viruses, but the ones that get through are
> sent from MAILER-DAEMON,  Mail Delivery System, and  Mail Delivery
> Subsystem to internal users.  Some of these addresses have full email
> addresses and some only have friendly names.  Checking the logs show that
> the message (h7RDDZgS013752)is getting through without an issue.  You can
> even see another message that did get discarded(h7RDDrgS013773):

[...]
 
> Why did this happen?  Have I allowed things from mailer daemons in by
> default somewhere?  I've looked in access.db as well as mimedefang-filter
> and don't see anywhere that those come up.  Any ideas?

	I'm seeing some of the same kind of behavior with clamscan.
Certainly lots of SoBig is getting caught (18821 over the last 48
hours against a total volume of 45282 emails, according to that
ever-so-useful tool GraphDefang) but occasionally a bounce from some
less-than-perfectly configured MTA somewhere will show up in a user's
mailbox with a defanged details.pif or what have you. 

	(Again, over the last 48 hours):
7 instances: thank_you.pif
7 instances: wicked_scr.scr
5 instances: application.pif
5 instances: details.pif
4 instances: your_details.pif

	I had a peek at one of the "details.pif" versions -- it seems
to be an intact MS-Dog executable.

	This doesn't include the stupid MTAs that bounce the entire
message back as text prepended by > signs, of course. (Ghaa.)

	I assumed this was either 1) an MTA truncating (or otherwise
mangling) the MIME attachment as part of the bounce process, or 2) a
new virus. I noted this morning that freshclam updated my DBs twice
recently, so I'd been leaning towards option 2, but I just rescanned
my sample of one of the newcomers and clamscan doesn't flag it.

	Thoughts?	
		Ole
-- 
Ole Craig * UNIX, linux, SMTP-ninja; news, web; SGI martyr * CS Computing
Facility, UMass * <www.cs.umass.edu/~olc/pgppubkey.txt> for public key
[...] Oh, shed thy mercy and thy grace / On those who venture into space.
			(R. A. Heinlein)

More information about the MIMEDefang mailing list