We are starting to see the MyDoom virus come in via email and getting
past our MIMEDefang set up that has anti-virus watching it. After
researching this, the viruses are coming in through undeliverable messages.
What is happening is that some mailers are replying with undeliverables
and are including the entire email that was sent in the reply,
attachments and all. So, the virus is basically coming in as an
attachment to an attachemnt, and for some reason the antivirus software
on two different systems cannot catch it. However, desktop antivirus is
catching it.
I've included the headers for one of the emails that got through. How
can these be blocked?
It looks like possibly blocking Content-Type: message/rfc822 attachments
from getting in would do it, but I don't know if thats possible and have
a feeling it would lead to alot of problems.
Thanks.
Tyler
Received: from mail.roadway.com (mail.roadway.com [x.x.x.x])
by internal.roadway.com (8.12.11/8.12.11) with ESMTP id
i0TIvkqt011899
for <[EMAIL PROTECTED]>; Thu, 29 Jan 2004 13:57:46 -0500
Received: from padron.exectravel.com ([206.154.248.194])
by mail.roadway.com (8.12.10/8.12.10) with ESMTP id i0TIvqh2021122
for <[EMAIL PROTECTED]>; Thu, 29 Jan 2004 13:57:48 -0500
Received: from mail pickup service by padron.exectravel.com with Microsoft
SMTPSVC;
Thu, 29 Jan 2004 13:56:47 -0500
X-Sender: System Administrator <>
X-receiver: [EMAIL PROTECTED]
Thread-Topic: Undeliverable: HI
thread-index: AcPmmaUK2nGosWsbROyARIUn+NCxBg==
From: "System Administrator" <[EMAIL PROTECTED]>
Sender: "System Administrator" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Undeliverable: HI
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=delivery-status;
boundary="----=_NextPart_000_15937E_01C3E66F.BC38C020"
Content-Class: urn:content-classes:dsn
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 29 Jan 2004 18:56:47.0354 (UTC)
FILETIME=[A54345A0:01C3E699]
Date: 29 Jan 2004 13:56:47 -0500
X-Scanned-By: MIMEDefang 2.39
This is a multi-part message in MIME format.
------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit
------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/rfc822
?thread-index: AcPmmaSezSHsAorOTie11QZjrk5JJg==
Received: from roadway.com ([141.156.107.78]) by padron.exectravel.com with
Microsoft SMTPSVC(5.0.2195.6713); Thu, 29 Jan 2004 13:56:45 -0500
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: HI
Date: Thu, 29 Jan 2004 13:56:45 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_5934E0B6.8C76B4B9"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 29 Jan 2004 18:56:45.0541 (UTC)
FILETIME=[A42EA150:01C3E699]
This is a multi-part message in MIME format.
------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by
taomap.ago.roadway.com id i0TIvkqt011899
------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
name="body.zip"
Content-Disposition: attachment;
filename="body.zip"
Content-Transfer-Encoding: base64
------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
name="body.zip"
Content-Disposition: attachment;
filename="body.zip"
Content-Transfer-Encoding: base64
------=_NextPart_000_0006_5934E0B6.8C76B4B9--
------=_NextPart_000_15937E_01C3E66F.BC38C020--
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
