Thanks for looking at this. However, the virus has been removed from the message by Norton AV and it leaves the message:
"Norton AntiVirus removed the attachment: ofo.zip. The attachment was infected with the [EMAIL PROTECTED] virus." in it's place where the attachment originally was in the message body. You can see that the entire message was skipped from scanning according to the log snippet. There must have been something 'evil' in the way the originator composed the message for it to get through. I have seen several posts from the RedHat Network Mailing list stating that members' ISP captured the infected message, but QMS didn't because it thought the message was PLAIN Text somehow. I bring this up because it may be a new way for infectors to hide their attachment from certain scanners. --------------------- It looks like a Plain text message... I have decoded it and it is not the original message the content is: FIRST PART -------------------------------------------------------------- This is a multi-part message in MIME format. ------=_NextPart_000_0002_725357F2.E4764D92 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: base64 SECOND PART --------------------------------------------------------- ------=_NextPart_000_0002_725357F2.E4764D92 Content-Type: plain/text; name="Norton AntiVirus Deleted1.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Norton AntiVirus Deleted1.txt" Tm9ydG9uIEFudGlWaXJ1cyByZW1vdmVkIHRoZSBhdHRhY2htZW50OiBvZm8uemlwLg0KVGhl IGF0dGFjaG1lbnQgd2FzIGluZmVjdGVkIHdpdGggdGhlIFczMi5Ob3ZhcmcuQUBtbSB2aXJ1 cy4= THIRD PART -------------------------------------------------------------- Norton AntiVirus removed the attachment: ofo.zip. The attachment was infected with the [EMAIL PROTECTED] virus. -------------------------------------------------------------- Anyway... I think that this virus are malformed, they didn't come as a real attachment so qs or thi av-scanners find them (I have forced qmail-scanner to don't skip text/plain messages and sophie did not find this virus. Salvatore ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
