[Mimedefang] Viruses getting in via undeliverables

tyler tyler at hudakville.com
Fri Jan 30 09:50:42 EST 2004 

We are starting to see the MyDoom virus come in via email and getting
past our MIMEDefang set up that has anti-virus watching it.  After
researching this, the viruses are coming in through undeliverable messages.

What is happening is that some mailers are replying with undeliverables
and are including the entire email that was sent in the reply,
attachments and all.  So, the virus is basically coming in as an
attachment to an attachemnt, and for some reason the antivirus software
on two different systems cannot catch it.  However, desktop antivirus is
catching it.

I've included the headers for one of the emails that got through.  How
can these be blocked?

It looks like possibly blocking Content-Type: message/rfc822 attachments
from getting in would do it, but I don't know if thats possible and have
a feeling it would lead to alot of problems.

Thanks.

Tyler

Received: from mail.roadway.com (mail.roadway.com [x.x.x.x])
    by internal.roadway.com (8.12.11/8.12.11) with ESMTP id
i0TIvkqt011899
    for <tyler.hudak at roadway.com>; Thu, 29 Jan 2004 13:57:46 -0500
Received: from padron.exectravel.com ([206.154.248.194])
    by mail.roadway.com (8.12.10/8.12.10) with ESMTP id i0TIvqh2021122
    for <bob.kadinkin at roadway.com>; Thu, 29 Jan 2004 13:57:48 -0500
Received: from mail pickup service by padron.exectravel.com with Microsoft
SMTPSVC;
     Thu, 29 Jan 2004 13:56:47 -0500
X-Sender: System Administrator <>
X-receiver: bob.kadinkin at roadway.com
Thread-Topic: Undeliverable: HI
thread-index: AcPmmaUK2nGosWsbROyARIUn+NCxBg==
From: "System Administrator" <administrator at exectravel.com>
Sender: "System Administrator" <postmaster at exectravel.com>
To: <bob.kadinkin at roadway.com>
Subject: Undeliverable: HI
MIME-Version: 1.0
Content-Type: multipart/report;
    report-type=delivery-status;
    boundary="----=_NextPart_000_15937E_01C3E66F.BC38C020"
Content-Class: urn:content-classes:dsn
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <PADRON5Jow4CkawxSkj0000e0bf at padron.exectravel.com>
X-OriginalArrivalTime: 29 Jan 2004 18:56:47.0354 (UTC)
FILETIME=[A54345A0:01C3E699]
Date: 29 Jan 2004 13:56:47 -0500
X-Scanned-By: MIMEDefang 2.39

This is a multi-part message in MIME format.

------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit

------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/rfc822

?thread-index: AcPmmaSezSHsAorOTie11QZjrk5JJg==
Received: from roadway.com ([141.156.107.78]) by padron.exectravel.com with
Microsoft SMTPSVC(5.0.2195.6713); Thu, 29 Jan 2004 13:56:45 -0500
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
From: <bob.kadinkin at roadway.com>
To: <vt at exectravel.com>
Subject: HI
Date: Thu, 29 Jan 2004 13:56:45 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0006_5934E0B6.8C76B4B9"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <tyler.hudak at roadway.com>
Message-ID: <PADRONYdOiQ4rYnevYJ0000e0bd at padron.exectravel.com>
X-OriginalArrivalTime: 29 Jan 2004 18:56:45.0541 (UTC)
FILETIME=[A42EA150:01C3E699]

This is a multi-part message in MIME format.

------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: text/plain;
    charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by
taomap.ago.roadway.com id i0TIvkqt011899

------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
    name="body.zip"
Content-Disposition: attachment;
    filename="body.zip"
Content-Transfer-Encoding: base64

------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
    name="body.zip"
Content-Disposition: attachment;
    filename="body.zip"
Content-Transfer-Encoding: base64

------=_NextPart_000_0006_5934E0B6.8C76B4B9--

------=_NextPart_000_15937E_01C3E66F.BC38C020--

More information about the MIMEDefang mailing list