[Mimedefang] Virus getting by MD

Mathew Thomas mathew.thomas at rmit.edu.au
Thu Aug 28 19:54:00 EDT 2003


Hi All,

The same thing happening to me also. I have got MD 2.36, with SpamAssasssin 2.55 and Mcafee uvscan on my Soalris box mail gateway. In mimdefang-filter rule, I am screening out attachment with .pif and scr. Staff mail from the gateway is going  to another box running McAfee Webshield. The webshield box reported  it received and filtered about 50 viruses. I noticed that all are two type viruses, Sobig and Exploit-MIME.gen.b. How did it get through my MD? My MD installation on  3 Mailgateways is filtering about 5000 to 10,000 virus per day in the last week.

Thanks
Mathew

>>> SMcGhee at ARCweb.com 28/08/03 3:28:20 >>>
Hello Ole and others,
	Just got back from lunch (mmmm, burger...) and was thinking about
this issue.  Ole, you suspect that it is either an MTA mangling the
attachment or a new virus.  I think that it is the first.  This is because
my MD implementation (and probably others) would ordinarily remove
attachments with bad filenames, even if the virus scanner didn't think it
was a virus.  The pif attachments are remaining in place, so I suspect
Sendmail or MD or that Perl module that MD uses to read and manipulate the
parts (the name escapes me) is missing the attachment.  What is equally
weird is that my Exchange server *DOES* pick up the attachment and removes
it.  The bounces seem to come from Exim (or what appears to be Exim).  That
could just be a coincidence.  This is weird behavior, though...

Cheers,

Stefano 

> > MD and uvscan is still catching viruses, but the ones that 
> get through are
> > sent from MAILER-DAEMON,  Mail Delivery System, and  Mail Delivery
> > Subsystem to internal users.  Some of these addresses have 
> full email
> > addresses and some only have friendly names.  Checking the 
> 
> 	I'm seeing some of the same kind of behavior with clamscan.
> Certainly lots of SoBig is getting caught (18821 over the last 48
> hours against a total volume of 45282 emails, according to that
> ever-so-useful tool GraphDefang) but occasionally a bounce from some
> less-than-perfectly configured MTA somewhere will show up in a user's
> mailbox with a defanged details.pif or what have you. 
> 
> 
> 	I assumed this was either 1) an MTA truncating (or otherwise
> mangling) the MIME attachment as part of the bounce process, or 2) a
> new virus. I noted this morning that freshclam updated my DBs twice
> recently, so I'd been leaning towards option 2, but I just rescanned
> my sample of one of the newcomers and clamscan doesn't flag it.

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com 
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang





More information about the MIMEDefang mailing list