On Sat, Aug 30, 2003 at 08:18:23PM -0400, Marc Nicholas wrote: > I have Qmail-scanner/ClamAV/SpamAssassin running on a RedHat box with > Qmail-1.03. There's definitely stuff going to quarantine, but I'm being told > users are still getting lots of Sobig work messages...any clues as to why > some stuff is definitely getting nuked, but other stuff makes it through?
I'll take a guess. What can happen is Sobig sends a viral email as "user1", it bounces/is rejected and returns to "user1". However, the format of that bounce is the old-style Unix bounce: i.e. the original message is APPENDED to a bounce msg - not as an attachment - just banged onto the end of the file. Q-S won't spot the copy of SoBig as it's not an attachment any longer (and neither will Outlook BTW) - but some other AV systems do. Sounds likely? As I don't know of any MUA that'd even be able to see there was an attachment in that bounce, I don't really care that Q-S doesn't catch it. Not catching "corrupted" viruses doesn't seem much of a bug to me... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
