> Why not block any .exe attachments? I don't block .EXE attachments, but that policy may work for others. In my company, we find it very common to receive executables in email, as well as viruses that are plain executables, therefore we neither silently discard them, nor do we reply to likely spoofed mailfrom, nor do we annoy the recipient.
I use Declude on a gateway server, and I use Trend Micro ScanMail for Exchange on my internal servers. On those internal servers, I scan for viruses and I ban executable attachments (not the whole message) and notify the recipient and our Help Centre. From the message body, the recipient can determine whether the attachment is valid; the Help Centre could re-send the executable but it would be blocked by Outlook anyway, so the usual case is then for the recipient to ask the sender to re-send the executable in a zip file. > In our system AVG is detecting it. Shortly before I sent that first message, F-Prot received a pattern update and was detecting the greeting cards as W32/Tibs.gen4 and the postcard as W32/Tibs.RA ... And submitting the greeting card to the Sunbelt malware sandbox showed a huge amount of activity. I suspect that this will be a real nuisance for those infected. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Kami Razvan > Sent: Saturday, December 30, 2006 9:30 AM > To: [email protected] > Subject: RE: [Declude.Virus] New virus to add to your banned > names in virus.cfg > > Andrew.. > > Why not block any .exe attachments? > > In our system AVG is detecting it. > > Kami > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Saturday, December 30, 2006 12:11 PM > To: [email protected] > Subject: [Declude.Virus] New virus to add to your banned > names in virus.cfg > > > http://isc.sans.org/diary.php?storyid=1988 > > BANNAME Greeting Card.exe > BANNAME Greeting Postcard.exe > BANNAME GreetingCard.exe > > Which may be related to a rash these that my mailserver > received on Dec 28th, as the executables are the same size > but contain may differences: > > BANNAME postcard.exe > > As of this writing, F-Prot detected neither executable, and > Trend Micro does not yet, unless you use the "CPR" version to > obtain the beta of the next pattern update. > > Andrew. > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Darrell ([EMAIL PROTECTED]) > > Sent: Tuesday, December 26, 2006 6:05 AM > > To: [email protected] > > Subject: Re: [Declude.Virus] How to block an IP > > > > Joe, > > > > Just add the IP or CIDR block into the SMTP access control in Imail. > > > > Darrell > > -------------------------------------------------------------- > > ---------- > > Check out http://www.invariantsystems.com for utilities for Declude > > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > > integration, MRTG Integration, and Log Parsers. > > > > ----- Original Message ----- > > From: "J Porter" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Monday, December 25, 2006 11:06 PM > > Subject: [Declude.Virus] How to block an IP > > > > > > Is there a way to block an IP address before analysis by > Declude's AV > > (Ver > > 1.82 - Imail 8.x)? > > > > I thought I should be able to do this with rules.ima by > looking for a > > line in the header. So I have a line that says > > H~xxx\.yyy\.zz\. > > but it doesn't work. (In case you can't see it, the lines read \. = > > slash dot per Ipswitch docs) I don't think the H~ (header contains) > > command reads everything in the header. > > > > ~Joe > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
