virus e-mails again

Matt Kettler mkettler at EVI-INC.COM
Tue Nov 22 20:11:25 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Venkata Achanta wrote:
> Since yesterday morning we are getting hit by lots of virus e-mail 
> with .exe attachments.
> 
> File-packed_da.exe, File-packed_dataInfo.exe
> 
> At Mon Nov 21 22:03:08 2005 the virus scanner said:
> Executable DOS/Windows programs are dangerous in email
> (File-packed_da.exe)
> Attachment is too small
> 
> The user community is in panic. i sent out a broadcast e-mail letting the 
> users know about the virus outbreak and blah blah. 
> 
> These are not getting scored high enough to be categorized as spam. Users 
> are getting tonnes of messages with just the attachments stripped.
> 
> Right now i am collecting subject lines to put together a SA rule set.

Good luck with that. The current sober/mytob strains are mutating rapidly. Be
sure to make your subject rules deal with the variant subjects that use
underscores instead of spaces.

> 
> Any other suggestions are welcome in the mean time. 

It's really a shame that MS currently only has one "Silent Viruses" option which
pairs with "Still deliver silent viruses".


Unfortunately, in this day and age, anything but "All-Viruses" in the "Silent
Viruses" option is asking for trouble. So you ultimately have the choice of all
or nothing for local user notification.

Yes, the "non forging viruses" offers a way around this, but that also causes
the sender to be notified, not such a good idea for most viruses.

Ideally I'd like to have 3 categories:

	non-forging - notify sender and recipient
	"sender silent" - notify recipient but not sender
	"double Silent" - notify neither (but notify postmaster if enabled)


This way I could list macros as non-forging viruses, list things like the mtob
and sober worms in "double silent" and leave everything else in "sender silent"
so the recipients get warnings about them.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list