New Virus with Fake Microsoft Address...
Forrest Aldrich
forrie at FORRIE.COM
Fri Sep 19 17:26:38 IST 2003
The body of the virus message seems to be pretty consistent, so if we could
fabricate a few rules for SpamAssassin (that list seems to be down, btw), I
think we could block/deny these at the transaction level, if you use
spamass-milter (which I do).
I looked through some of the examples, and I think you can do something
like this in local.cf:
body = /some regex/
I've not had to touch the SA *.cf files for a while, so I'm a bit rusty on
its config syntax.
I'm getting 100's of these damned messages coming in, so I've an impressive
firewall blocking list for now, but it's not going to scale very well. I'd
prefer to use SpamAssassin rules.
Forrest
At 11:24 AM 9/19/2003, Steve Evans wrote:
>I'd say 20% are being tagged as a virus here, while the rest are being
>caught by file filter rules. Kind of annoying because then the Silent
>Virus feature doesn't kick in.
>
>
>Steve Evans
>SDSU Foundation
>
>-----Original Message-----
>From: Ulysees [mailto:Ulysees at ULYSEES.COM]
>Sent: Friday, September 19, 2003 3:54 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: New Virus with Fake Microsoft Address...
>
> > Same MD5 sum I have here too, and ClamAV picks it up as Worm.Gibe.F
>
>Ok looks like I have a gremlin here somewhere, I've got other copies in
>since, with the same md5sum and they get detected, but yet if I go and
>scan the attachment from the earlier message in it still thinks it is
>clean.
>I think the scanners are just trying to annoy me
>
>Uly
More information about the MailScanner
mailing list