 |
 |
Our analysis of the messages that caused this problem in our department agrees with Doug's exactly. The messages that were triggering Norton AV to quarantine the In box had a multi-part MIME structure embedded within the body of a message, in such a way that it was truly just plain text, not an encoded attachment. In this form, no proper email program would decode it as an attachment such that the user could click on it. As such, it is really of extremely low, almost zero, danger to the average user. The fault seems to be that of Norton AV, in being too aggressive in its scanning. At 04:07 PM 2/9/2004, Cheryl Akers wrote: >Maybe this info will help. I was getting DOOM imbedded in my email and it >kept getting stuck in the spooler for Eudora. This was the response from >Doug Nelson. > > >>----------Forwarded message ---------- >>Return-path: <[log in to unmask]> >>Envelope-to: [log in to unmask] >>Delivery-date: Fri, 06 Feb 2004 09:32:43 -0500 >>Received: from clunix.cl.msu.edu ([35.9.2.10]) >> by sys11.mail.msu.edu with esmtp (Exim 4.24 #37) >> id 1Ap72A-0008V0-WD >> for [log in to unmask]; Fri, 06 Feb 2004 09:32:43 -0500 >>Received: (from nelson@localhost) >> by clunix.cl.msu.edu (8.11.7p1+Sun/8.11.7) id i16EWfJ18494 >> for [log in to unmask]; Fri, 6 Feb 2004 09:32:41 -0500 (EST) >>From: Doug Nelson <[log in to unmask]> >>Message-Id: <[log in to unmask]> >>Subject: Re: MSU virus detection failure. (fwd) >>To: [log in to unmask] >>Date: Fri, 6 Feb 2004 09:32:40 -0500 (EST) >>X-Mailer: ELM [version 2.5 PL2] >>MIME-Version: 1.0 >>Content-Type: text/plain; charset=us-ascii >>Content-Transfer-Encoding: 7bit >>X-Virus: None found by Clam AV >>X-Spam-Status: No, hits=1.3 required=5.0 tests=LARGE_HEX,UPPERCASE_25_50 >> autolearn=no version=2.60 >>X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on >> sys11.mail.msu.edu >>X-Spam-Level: * >> From our mail team: >>"The message was sent from a box on ameritech.net to earthlink. >>The recipient account was full, so earthlink wrapped the message in >>multipart mime and bounced it to the forged sender. >>Our current version of clam can't deal with multipart mime and sent it >>through. The latest version of clam can handle this but it has a memory >>leak. We are waiting for a patch before we try installing it again." >>Doug >> >>Doug Nelson [log in to unmask] >>Network Manager Ph: (517) 353-2980 >>Computer Laboratory http://www.msu.edu/~nelson/ >>Michigan State University >> >>Forwarded message: >>Subject: Re: MSU virus detection failure. >>To: [log in to unmask] (Cheryl A Akers) >>Date: Thu, 5 Feb 2004 16:57:56 -0500 (EST) >>Cc: [log in to unmask] >>In-Reply-To: <[log in to unmask]> from "Cheryl A Akers" >>at Feb 05, 2004 10:16:06 AM >>X-Mailer: ELM [version 2.5 PL2] >>>The following message is being detected as DOOM by my desktop antivirus >>>but missed by MSU. This is the 2nd message is the last 10 minutes with >>>this problem. This has also happened to at least one other person in the >>>Microbiology Department. >> >>I can pass this on to the mail.msu.edu team. There are a couple >>possibilities. >>Either this is a new variant, and the virus definitions on mail.msu.edu had >>not yet been updated to recognize it, or the returned message as seen by the >>mail system did not contain the virus code as a true attachment. From a quick >>read of the headers, I don't see the "mime" encoding headers that would break >>this out as a separate attachment. Thus, it should be impossible for you to >>receive the message, click on the attachment, and become infected, even if >>your AV detected the virus signature. >>Doug --Chris ============================================== Chris Wolf Computer Service Manager Agricultural Economics [log in to unmask] Michigan State University 517 353-5017