I would suggest to avoid emails that contain this in the subject line: SUBJECT: Important updates BODY: information about new computers with links pointing to a some web site with www as a virtual link. Joseph -----Original Message----- From: Diane Poremsky [mailto:drcp@xxxxxxxxxxxx] Sent: Thursday, September 20, 2001 9:56 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Blocking .eml files http://www.ISAserver.org I went through this with another virus - groupshield did a scheduled scan of mailboxes and found 6 or so infected with the virus (it was the one that was a url and the infection happened only if you hit went to the url). They were from well-respected exchange admins and a Microsoft employee (exchange pss) - all people who would be least likely to be infected. Upon examining the messages (as text files) in quarantine, the best any of us could determine was the url and original message text were trapped by groupshield. To add to the weirdness, we could not repro it on new mail, only mailbox scans. Moral of the story? Is the filter is looking at text in the message body and reporting a false positive? Specifically, I see that Patrick included the js that is appended to all web pages by the virus and Mark copied it in a reply. It's basically the exact same scenario with all the messages I had marked as infected. -----Original Message----- Well, accept my humblest apologies, I did not mean to be condescending. Attached are the log files from Scanmail. The only mail that has been Identified by scanmail are patricks@xxxxxxxxxxxxxxxxxx and Mark Strangways. Either way someone is infected. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')