Re: Blocking .eml files
- From: "cismic" <cismic@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 20 Sep 2001 12:11:42 -0700
I would suggest to avoid emails that contain this in the subject line:
SUBJECT: Important updates
BODY: information about new computers with links pointing to a some
web site with www as a virtual link.
Joseph
-----Original Message-----
From: Diane Poremsky [mailto:drcp@xxxxxxxxxxxx]
Sent: Thursday, September 20, 2001 9:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Blocking .eml files
http://www.ISAserver.org
I went through this with another virus - groupshield did a scheduled
scan of mailboxes and found 6 or so infected with the virus (it was the
one that was a url and the infection happened only if you hit went to
the url). They were from well-respected exchange admins and a Microsoft
employee (exchange pss) - all people who would be least likely to be
infected.
Upon examining the messages (as text files) in quarantine, the best any
of us could determine was the url and original message text were trapped
by groupshield. To add to the weirdness, we could not repro it on new
mail, only mailbox scans.
Moral of the story? Is the filter is looking at text in the message body
and reporting a false positive? Specifically, I see that Patrick
included the js that is appended to all web pages by the virus and Mark
copied it in a reply. It's basically the exact same scenario with all
the messages I had marked as infected.
-----Original Message-----
Well, accept my humblest apologies, I did not mean to be condescending.
Attached are the log files from Scanmail. The only mail that has been
Identified by scanmail are
patricks@xxxxxxxxxxxxxxxxxx and Mark Strangways.
Either way someone is infected.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
