On Thu, 2004-06-17 at 19:16, Michael D. Crawford wrote: > I think the virus that's assaulting me is what this > page calls the PE_ZAFI.B virus: > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_ZAFI.B&VSect=T > > The clamav database lists a virus called Worm.Zafi.B. > > I'm still working on downloading my mailbox. I copied > it to my home directory at my hosting service, then > truncated my mail spool file so I wouldn't fill up the > filesystem. My spool file had grown to 1.2 gigabytes > in three days. > > After I truncated my spool file, I was able to open it > in elm for a little while before elm was unable to > keep up and quit. In the space of five minutes or so > I received 417 messages. Elm crapped out when the > spool file had about 2000 messages in it.
As an interesting aside, the Zafi worm also ignores DNS MX records and goes straight for final destination if it can. We have a postfix/amavisd/clamav/spamassassin filter box that fronts the main server which contains user mailboxes. The main server kept getting all these Zafi infected mails coming in, and it took me a bit to realize they were bypassing the filter box entirely. I ended up putting an access rule in the main gateway router to block incoming smtp to everything except the filter box and that's stopped it. -Bill ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users