Re: Blocking .eml files
- From: "Diane Poremsky" <drcp@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 20 Sep 2001 12:56:14 -0400
I went through this with another virus - groupshield did a scheduled
scan of mailboxes and found 6 or so infected with the virus (it was the
one that was a url and the infection happened only if you hit went to
the url). They were from well-respected exchange admins and a Microsoft
employee (exchange pss) - all people who would be least likely to be
infected.
Upon examining the messages (as text files) in quarantine, the best any
of us could determine was the url and original message text were trapped
by groupshield. To add to the weirdness, we could not repro it on new
mail, only mailbox scans.
Moral of the story? Is the filter is looking at text in the message body
and reporting a false positive? Specifically, I see that Patrick
included the js that is appended to all web pages by the virus and Mark
copied it in a reply. It's basically the exact same scenario with all
the messages I had marked as infected.
-----Original Message-----
Well, accept my humblest apologies, I did not mean to be condescending.
Attached are the log files from Scanmail. The only mail that has been
Identified by scanmail are
patricks@xxxxxxxxxxxxxxxxxx and Mark Strangways.
Either way someone is infected.
Other related posts:
