[URGENT] How to intercept a copy of virus-infected message?

Mike Brudenell pmb1 at YORK.AC.UK
Tue May 4 11:55:36 IST 2004


Greetings -

Many thanks to those who offered advice about intercepting the
possibly-unknown virus I was after.  I knew of the existence of
MailScanner's quarantining but had hoped it might be possible to only trap
messages failing filename-based rules instead of also trapping those
positively identified as viruses by Sophos.

I'd hoped it might be possible to do this selective quarantining using
rulesets somehow but couldn't see how: hence my question.

In the end I used regular quarantining and spent most of the day trying to
keep up with the influx of quarantined material.  Unfortunately I only had
one other 'strange' message come in that triggered the filename-based
rules, which turned out to be one from a mailing list that had carefully
removed the virus-infective payload and replaced it with boilerplate text
... unfortunately it had left the attachment's associated filename
unchanged and so Sophos said the message was clean but its ".exe" named
attachment triggered the filename-based rules.

I suspect that was also the cause of the outbreak earlier in the day.

Many thanks again,

Mike B-)

--
The Computing Service, University of York, Heslington, York Yo10 5DD, UK
Tel:+44-1904-433811  FAX:+44-1904-433740

* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list