[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <005101c36765$4ea7bf40$0100a8c0@p3600>
From: chows at ozemail.com.au (gregh)
Subject: Re: Filtering sobig with postfix
> ----- Original Message -----
> From: vogt@...senet.com
> To: madduck@...duck.net ; full-disclosure@...ts.netsys.com
> Sent: Wednesday, August 20, 2003 11:27 PM
> Subject: AW: [Full-Disclosure] Re: Filtering sobig with postfix
> > > /see attached file for details/ REJECT
> >
> > this incurs a factor 2-4 performance drop, and it could also elicit
> > false positives. you should definitely do more than just REJECT
> > (i.e. write out a message: s/REJECT/554 Suspected virus/).
> Agree, a message would be good.
Just wanted to mention that I have been testing a few Windows based anti spam progs for customers. Spamkiller has the ability to pick things out quite nicely that some others dont appear to do. I have found the Sobig emails all seem to have a header line in it with "Found to be clean" as a way to attempt to fool something or other that there is no virus attached to the email. Filtering on that header seems to keep them all out so far.
Noted the FROM header can be anyone, like other viruses have done in the past, from the infected system's email address book or possibly anywhere on the hard disk.
Greg.
Powered by blists - more mailing lists