Re: Blocking .eml files

• From: <patricks@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 20 Sep 2001 17:46:49 +0100

Steve,
        Sorry for getting shirty, but you really should not rely on a
piece of third party software. Especially if the relevant code has had
to be written under an extremely tight timescale. I hope you have done
your own investigations while securing your systems.


Just to clear my name, I have attached the original message as it left
our company. As you can see, no attachment and no malicious code. Infact
it was sent as plain text. Looking at it. 

Looking back, I appended the JavaScript which is in the infected web
files to the end of the message. This must have triggered the scanner.
Infact my overzealous virus checker has removed this from my email logs
!
Programs cannot see a piece of text or code in context and so it is
common for them to make a misdiagnosis in situations like this. The
saying goes don't believe everything you read in the papers. The same is
true for virus scanners.


Patrick




-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx]
Sent: 20 September 2001 17:17
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Blocking .eml files

Well, accept my humblest apologies, I did not mean to be condescending.
Attached are the log files from Scanmail. The only mail that has been
Identified by scanmail are 
patricks@xxxxxxxxxxxxxxxxxx and Mark Strangways. 

Either way someone is infected.

Steve
-----Original Message-----
From: patricks@xxxxxxxxxxxxxxxxxx [mailto:patricks@xxxxxxxxxxxxxxxxxx] 
Sent: 20 September 2001 17:05
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Blocking .eml files


http://www.ISAserver.org


I wasn't going to rise to this, but...

If we were infected, wouldn't ScanMail be sending these reports for
every email we sent to the list or to the many other people I
communicate with. 

More likely the email was infected on the way to/from the list or some
lazy programmer at Trend Micro decided that any email with the string
".eml" in the subject or body meant that the email was infected.

Either way, your condescending attitude does nothing to benefit this
list.


Patrick



-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx]
Sent: 20 September 2001 16:39
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Blocking .eml files


http://www.ISAserver.org


Yup, that's what scanmail said

Steve

-----Original Message-----
From: Mark Strangways [mailto:strangconst@xxxxxxxx] 
Sent: 20 September 2001 13:36
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Blocking .eml files


http://www.ISAserver.org


Are you saying that I'm infected ?

regards,

Mark
----- Original Message -----
From: "Steve Moffat" <steve@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 20, 2001 6:20 AM
Subject: [isalist] Re: Blocking .eml files


> http://www.ISAserver.org
>
>
>
> This is a multi-part message in MIME format.
>


------------------------------------------------------------------------
--------


patricks@xxxxxxxxxxxxxxxxxx
Mark Strangways


It seems that some are infected despite all the warnings last time
round.

Steve


-----Original Message-----
From: Mark Strangways
Sent: Wed 9/19/2001 1:07 PM
To: [ISAserver.org Discussion List]
Cc:
Subject: [isalist] Re: Blocking .eml files

ÿþTrend Micro ScanMail has detected a virus in the message body of this
email and removed it.






------------------------------------------------------------------------
--------


> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> strangconst@xxxxxxxx To unsubscribe send a blank email to
> $subst('Email.Unsub')
>


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
patricks@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files
• » Re: Blocking .eml files

1. Home
2. isalist
3. Archive
4. 09-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---