[Esd-l] Odd behavior with the new outbreak
John D. Hardin
jhardin at impsec.org
Sat Aug 23 06:52:17 PDT 2003
On Fri, 22 Aug 2003, Chris Rothbauer wrote:
> For the past few days, we've been getting 'you sent a virus'
> messages from mailserver-virus products. For some reason, some of
> these emails contain the actual original (still infected) email as
> an attachment. So we have 1) Bob in Timbuktu sends the virus as
> me, then 2) I actually get the virus, as an attachment, in the
> original receiving gateway's virus auto-reply. How screwed is
> that?
It's vaguely possible that the MTA that's bouncing the attack is
either breaking the MIME message format in some way the sanitizer
cannot deal with, or is doing something like base64 encoding the
entire original message.
> What can I do to try and collect more info? Or better yet, has
> anyone seen this and dealt with it already? Catching it actually
> ON our corporate mail server is just a bit too close to home. I
> really want to get this one fixed.
I would write a procmail rule before the sanitizer call to detect
messages with "bounced" headers and either quarantine them or save a
copy on the procmail gateway. I won't be able to say why this is
happening until I can see a raw message in the state that the
sanitizer sees it.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
70 days until Matrix Revolutions
More information about the esd-l
mailing list