On Thu, 2004-06-17 at 19:16, Michael D. Crawford wrote:
> I think the virus that's assaulting me is what this
> page calls the PE_ZAFI.B virus:
>
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_ZAFI.B&VSect=T
>
> The clamav database lists a virus called Worm.Zafi.B.
>
> I'm still working on downloading my mailbox. I copied
> it to my home directory at my hosting service, then
> truncated my mail spool file so I wouldn't fill up the
> filesystem. My spool file had grown to 1.2 gigabytes
> in three days.
>
> After I truncated my spool file, I was able to open it
> in elm for a little while before elm was unable to
> keep up and quit. In the space of five minutes or so
> I received 417 messages. Elm crapped out when the
> spool file had about 2000 messages in it.
As an interesting aside, the Zafi worm also ignores DNS MX
records and goes straight for final destination if it can.
We have a postfix/amavisd/clamav/spamassassin filter box
that fronts the main server which contains user mailboxes.
The main server kept getting all these Zafi infected mails
coming in, and it took me a bit to realize they were bypassing
the filter box entirely.
I ended up putting an access rule in the main gateway router
to block incoming smtp to everything except the filter box
and that's stopped it.
-Bill
-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
