Ever since this latest virus outbreak started i've been seeing a number of odd messages getting through without being flagged, apparently. example follows (munged obfuscation applied):
=========
From [EMAIL PROTECTED] Tue Feb 3 08:55:32 2004
Return-Path: <[EMAIL PROTECTED]>
Received: from myserver.mydomain.com.au ([unix socket])
by myserver (Cyrus v2.1.14-IPv6-Debian-2.1.14-3) with LMTP; Tue, 03 Feb 2004 08:55:32 +1100
X-Sieve: CMU Sieve 2.2
Received: from dodo.com.au (ESS-p-144-138-109-159.mega.tmns.net.au [144.138.109.159])
by myserver. mydomain.com.au (8.12.9/8.12.9/Debian-5) with ESMTP id i12LsJEm015522
for <myuser@ mydomain.com.au>; Tue, 3 Feb 2004 08:54:21 +1100
Message-Id: <[EMAIL PROTECTED] mydomain.com.au>
From: [EMAIL PROTECTED]
To: myuser@ mydomain.com.au
Subject: Hello
Date: Tue, 3 Feb 2004 07:55:01 +1000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_CD05CB46.BD84472F"
X-Priority: 3
X-MSMail-Priority: Normal
X-Scanned-By: MIMEDefang 2.37
This is a multi-part message in MIME format...
------=_NextPart_000_0004_CD05CB46.BD84472F
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Content-Disposition: inlineThe message contains Unicode characters and has been sent as a binary attachment.
------=_NextPart_000_0004_CD05CB46.BD84472F--
..and that's all there is.
the log shows nothing unusual that i can see.. it's detecting the bad content and setting drop=1 (i'm using action_drop on everything this week and stuff the consequences ;-) but it's still delivering.
============
Feb 3 08:55:31 inserver sm-mta[15522]: i12LsJEm015522: from=< [EMAIL PROTECTED]>, size=31180, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=ESS-p-144-138-109-159.mega.tmns.net.au [144.138.109.159]
Feb 3 08:55:31 inserver mimedefang.pl[11244]: MDLOG,i12LsJEm015522,bad_filename,text.bat,application/octet-stream,< [EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Hello
Feb 3 08:55:32 inserver mimedefang.pl[11244]: filter: i12LsJEm015522: drop=1
Feb 3 08:55:32 inserver sm-mta[15522]: i12LsJEm015522: Milter change: header Content-Type: from multipart/mixed;\n\tboundary="---- =_NextPart_000_0004_CD05CB46.BD84472F" to multipart/mixed; boundary="----=_NextPart_000_0004_CD05CB46.BD84472F"
Feb 3 08:55:32 inserver sm-mta[15522]: i12LsJEm015522: Milter change: header MIME-Version: from 1.0 to 1.0
Feb 3 08:55:32 inserver sm-mta[15522]: i12LsJEm015522: Milter message: body replaced
Feb 3 08:55:32 inserver sm-mta[15522]: i12LsJEm015522: Milter add: header: X-Scanned-By: MIMEDefang 2.37
Feb 3 08:55:32 inserver sm-mta[15525]: i12LsJEm015522: to=<[EMAIL PROTECTED]>, delay=00:01:11, xdelay=00:00:00, mailer=cyrus, pri=120248, relay=localhost, dsn=2.0.0, stat=Sent
is anyone else getting these, and if so, what do you do about it? this MD newbie here isn't sure where to go next...
cheers, ..S.
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
