[Mimedefang] Virus getting by MD
Stefano McGhee
SMcGhee at ARCweb.com
Wed Aug 27 13:29:00 EDT 2003
Hello Ole and others,
Just got back from lunch (mmmm, burger...) and was thinking about
this issue. Ole, you suspect that it is either an MTA mangling the
attachment or a new virus. I think that it is the first. This is because
my MD implementation (and probably others) would ordinarily remove
attachments with bad filenames, even if the virus scanner didn't think it
was a virus. The pif attachments are remaining in place, so I suspect
Sendmail or MD or that Perl module that MD uses to read and manipulate the
parts (the name escapes me) is missing the attachment. What is equally
weird is that my Exchange server *DOES* pick up the attachment and removes
it. The bounces seem to come from Exim (or what appears to be Exim). That
could just be a coincidence. This is weird behavior, though...
Cheers,
Stefano
> > MD and uvscan is still catching viruses, but the ones that
> get through are
> > sent from MAILER-DAEMON, Mail Delivery System, and Mail Delivery
> > Subsystem to internal users. Some of these addresses have
> full email
> > addresses and some only have friendly names. Checking the
>
> I'm seeing some of the same kind of behavior with clamscan.
> Certainly lots of SoBig is getting caught (18821 over the last 48
> hours against a total volume of 45282 emails, according to that
> ever-so-useful tool GraphDefang) but occasionally a bounce from some
> less-than-perfectly configured MTA somewhere will show up in a user's
> mailbox with a defanged details.pif or what have you.
>
>
> I assumed this was either 1) an MTA truncating (or otherwise
> mangling) the MIME attachment as part of the bounce process, or 2) a
> new virus. I noted this morning that freshclam updated my DBs twice
> recently, so I'd been leaning towards option 2, but I just rescanned
> my sample of one of the newcomers and clamscan doesn't flag it.
More information about the MIMEDefang
mailing list