You can use Content Filtering and add the all subject lines below. And also you can find Sybari's recommandations at http://www.sybari.com/alerts/filter.asp for file filtering. Undeliverable mail--"[Random word]" Returned mail--"[Random word]" a [Random word] [Random word] game a [Random word] [Random word] tool a [Random word] [Random word] website a [Random word] [Random word] patch [Random word] removal tools how are you let's be friends darling so cool a flash,enjoy it your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice questionnaire congratulations sos! japanese girl VS playboy look,my beautiful girl friend eager to see you spice girls' vocal concert japanese lass' sexy pictures Regards, -----Original Message----- From: Matthew Payne [mailto:mattp@xxxxxxxxxxxxxx] Sent: 23 Mayis 2002 Persembe 12:25 To: [ExchangeList] Subject: [exchangelist] RE: Klez.H attack http://www.MSExchange.org/ - Re-Vamped! Hmmm Having read all of your antigen comment s I've decided to change from Trend ScanMail. What filers should I sensibly apply to antigen? -----Original Message----- From: Matt Dillingham [mailto:mdilling@xxxxxxxxx] Sent: 21 May 2002 19:09 To: [ExchangeList] Subject: [exchangelist] RE: Klez.H attack http://www.MSExchange.org/ aorlowski@xxxxxxxxxxx wrote: > > Well Said Matt. I love Antigen, however has your campus received > hundreds of hits lately. Our college has. I am not real worried about > because of antigen cleans all of these out, but it seems to me that > these hits are not a good sign. We are also filtering exe,scr,etc.. > all seems to work well. > > Allen Orlowski > MCP, A+, Network + > aorlowski@xxxxxxxxxxx <mailto:aorlowski@xxxxxxxxxxx> Allen- Yeah, we have been seeing a ton of these being filtered/purged. I would say lately, that Klez.X (usually coupled with a HTML/MimeExploit.IFRAME alert) has been making up about 95%+ of our virus traffic. I suspect that the reason that this virus is so persistent and is seeming to spread so well is because of the spoofed SENDER field. it is very difficult to track down where the virus originated from. if i could not scan everyone's mailbox, i would be pretty nervous. Does anyone know a practical way to actually track the real sender down? with antigen, it can automatically send alerts to any infected external or internal senders, once detected. the alerts are a completely automated, customizable email message. unfortunately, i have had to disabled this feature right now because it is useless with klez. since the SENDER field is forged, antigen will send the klez alerts to the randomly selected person in the SENDER field, which is just a random address from the infected person's addressbook. anyone have any ideas about how to track down and alert these people? -matt PS> Allen- Just curious... what college do you work for? -- __________________________________________________________________ Matt Dillingham Systems Administrator II University of Michigan, Bioinformatics > > -----Original Message----- > From: Matt Dillingham [mailto:mdilling@xxxxxxxxx] > Sent: Tuesday, May 21, 2002 12:04 PM > To: [ExchangeList] > Subject: [exchangelist] RE: Klez.H attack > > Denise Dorrance wrote: > > > > What exactly is Antigen? Is it a virus software or an Anti-spam > software?? > > > > Denise- > > Antigen is an antivirus engine that can scan all writes to the > exchange information store (mailboxes, ect) in real-time, can scan > inside the store (as a scheduled task, on demand, ect), and can scan > and intercept messages being sent across the SMTP virt-server > (incoming and outgoing) in real-time. > > since we have installed it and cleaned the information store for the > first time, we have not had ANY viruses actually infect anyone's > mailbox. everything has been stopped as incoming SMTP traffic. > > i dont know if there is any other solution out there that will work as > well or better than antigen... because once i tried this, i stopped > looking. i highly recommend it. > > -matt > > PS> however, it does not intercept spam... unless it has a virus- heh > PS> heh. > > PS> also, i forgot to mention, antigen also has file filtering > PS> capability > (block all .exe & .scr, ect), but we are not using it. i do know some > people that are, and i have heard that it works fine. > -- __________________________________________________________________ > Matt Dillingham Systems Administrator II > University of Michigan, Bioinformatics ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: mattp@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: meralk@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')