Bofra-32-Sophos getting through

Ryan Bingham ryanb at aacrao.org
Wed Nov 10 20:35:57 GMT 2004 

I just talked to Sophos about this and they said that because the email
doesn't actually contain a virus (only a link to a virus), they have no
way of filtering it and recommended doing it through a gateway spam
content filter.

I've taken Chris' advice and bumped up the SARE_FORGED_PAYPAL_C score,
and that seems to be catching the Paypal ones.  Does anyone have any
other ideas on how to block these?  Are other engines actually catching
these viruses?

Thanks,

Ryan

On Wed, 2004-11-10 at 14:56 -0500, Ryan Bingham wrote:
> I'm also seeing these slip past Sophos...
>
> On Wed, 2004-11-10 at 10:52 -0500, Steve Swaney wrote:
> > ________________________________________
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > > Behalf Of Chris Trudeau
> > > Sent: Wednesday, November 10, 2004 10:32 AM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Bofra-32-Sophos getting through
> >
> > > Hello list,
> >
> > > I am concerned that several of the Bofra bugs have gotten through my
> > > mailscanner/sophossavi implementation.
> >
> > > Sophos has released and I have confirmed Bofra IDE files in the libs for
> > > Sophos, but they continue to get through.
> >
> > > Any ideas?
> >
> > What do the logs say about one of the messages that got through?
> >
> > I'd immediately install ClamAV and / or BitDefender to stop additional
> > viruses from getting through.
> >
> > Steve
> >
> > Steve Swaney
> > President
> > Fortress Systems Ltd.
> > www.fsl.com
> > steve.swaney at fsl.com
> >
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list