This string is in the beginning of first line of the body of infected emails all buts the zips
T_V_q_Q_A_AMAAAAEAAAA This is in the beginning of the first line of the .zips U_E_s_D_B_AoAAAAAA Both of these strings produce virus hits on Google NOTE: remove the underscores to get the actual string. I put these in a separate body filter with a delete action. Every one held today was a virus. Mike ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 27, 2004 4:01 PM Subject: [Declude.JunkMail] MyDoom / Novarg > I have been successful trapping most of these viruses with a body filter > filtering on the > > Mail transaction failed. Partial message is available. > > and > > has been sent as a binary attachment > > I placed the extra spaces so they will not get caught by other filters on > this list. I then use ROUTETO to send the messages to an account I monitor > for false positives. > > Out of about 100 catches so far no false positives. > > > Kevin Bilbee > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Jim Priest > > Sent: Tuesday, January 27, 2004 12:10 PM > > To: Chuck Schick > > Subject: Re[2]: [Declude.JunkMail] evaluating declude > > > > > > Tuesday, January 27, 2004, 2:42:18 PM, Chuck wrote: > > CS> Here are some of my general guidelines. > > CS> 4. ) A few pieces of Spam are always going to get through > > because spammers > > CS> are always changing their methodology. We are in a reactive mode. > > > > Chuck, thanks for all the info. Been digging through some of the > > archives and learning more. > > > > Another quick question - how many people use the 'hold' action - and > > how do you manage any spam which gets held? I've found some software > > called 'Spam Review' which looks helpful. > > > > jim > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
