[unisog] Sobig.f with stripped attachments.

Julian Field mailscanner at ecs.soton.ac.uk
Thu Aug 28 17:04:51 GMT 2003


At 17:43 28/08/2003, Martin Sapsed wrote:
>Michael Sofka wrote:
>>I suspect there is a bug in Sobig.f that, depending on the infected
>>machine, may not always attach the virus.  Alternatively, the virus
>>author intended this as another way of sowing uncertainty, doubt
>>and annoyance.  Or, perhaps to require we take steps such as blocking
>>X-MailScanner, or certain, common, subjects.
>
>Please don't block based on the X-MailScanner line - there are very many 
>sound systems using this excellent tool and you will block legitimate mail 
>from them. Genuine MailScanner users have been advised to localise this 
>header by a page at http://www.mailscanner.info but no doubt quite a few 
>won't get round to doing so or see the advice.

There are tens of thousands of sites around the world using MailScanner, so 
please do not advertise any rule which will block them. The "X-MailScanner" 
header in Sobig.f is obviously fake (it's before even the X-Mailer header). 
A *very* large number of people have their email protected by MailScanner 
(it's used by a lot of very large academic sites, for starters) and you 
really don't want to start blocking all their mail.

I have put up a web page encouraging sysadmins to customise their 
X-MailScanner headers to include their institution name, and have altered 
the default for future installations so that they say 
"X-yoursite-MailScanner" which will encourage the sysadmins to customise 
it, as they will look rather silly if they don't.

Many thanks.
-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the unisog mailing list