[Esd-l] Odd behavior with the new outbreak

John D. Hardin jhardin at impsec.org
Sat Aug 23 06:52:17 PDT 2003


On Fri, 22 Aug 2003, Chris Rothbauer wrote:

> For the past few days, we've been getting 'you sent a virus'
> messages from mailserver-virus products. For some reason, some of
> these emails contain the actual original (still infected) email as
> an attachment. So we have 1) Bob in Timbuktu sends the virus as
> me, then 2) I actually get the virus, as an attachment, in the
> original receiving gateway's virus auto-reply. How screwed is
> that?

It's vaguely possible that the MTA that's bouncing the attack is
either breaking the MIME message format in some way the sanitizer
cannot deal with, or is doing something like base64 encoding the
entire original message.
 
> What can I do to try and collect more info? Or better yet, has
> anyone seen this and dealt with it already? Catching it actually
> ON our corporate mail server is just a bit too close to home. I
> really want to get this one fixed.

I would write a procmail rule before the sanitizer call to detect
messages with "bounced" headers and either quarantine them or save a
copy on the procmail gateway. I won't be able to say why this is
happening until I can see a raw message in the state that the
sanitizer sees it.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   70 days until Matrix Revolutions



More information about the esd-l mailing list