We believed f-prot/declude didn't catch a virus and we are still in the "figuring out why" phase.
Here is the case... maybe you can help us out. domain aldia.com.co has a nobody alias that goes to [EMAIL PROTECTED] somebody sent an email to an inexistent account. The nobody rule catched and send it to [EMAIL PROTECTED] and it was a virus. I still don't know what type of virus.. I just asked them to send it to a special account we have for those cases Virus log shows -------------------- 01/14/2003 01:20:25 Qac281626014a3633 MIME file: [text/html][quoted-printable; Length=121 Checksum=8588] 01/14/2003 01:20:25 Qac281626014a3633 MIME file: DELETED0.TXT [base64; Length=127 Checksum=11072] 01/14/2003 01:20:25 Qac281626014a3633 MIME file: TIP.HTM [base64; Length=15495 Checksum=1351261] 01/14/2003 01:20:25 Qac281626014a3633 Scanned: Virus Free [MIME: 3 15743] this deleted0.txt then became...delete.txt as you can see in the link to jpeg attached. http://www.pandacons.com/virus_aldia.jpg the Syslog shows. ------------------- 01:14 01:20 SMTPD(1626014A) [130.94.243.96] connect 66.128.32.107 port 46974 01:14 01:20 SMTPD(1626014A) [66.128.32.107] EHLO dexter.telesat.com.co 01:14 01:20 SMTPD(1626014A) [66.128.32.107] MAIL From:<[EMAIL PROTECTED]> 01:14 01:20 SMTPD(1626014A) [66.128.32.107] RCPT To:<[EMAIL PROTECTED]> 01:14 01:20 SMTPD(1626014A) [66.128.32.107] d:\IMail\spool\Dac281626014a3633.SMD 23070 01:14 01:20 SMTP-(00000AA4) processing d:\IMail\spool\Qac281626014a3633.SMD 01:14 01:20 SMTP-(00000AA4) ldeliver aldia.com.co sistemas14-main (1) [EMAIL PROTECTED] 23222 01:14 01:20 SMTP-(00000AA4) finished d:\IMail\spool\Qac281626014a3633.SMD status=1 as you can see the Fom is a forged address (see the link to jpeg attached). http://www.pandacons.com/virus_aldia.jpg the delete.txt ask you if you want to open the file or not... guess what my client did... Of course he opened it... way to go.... his computer is working erratically... we don't still don't know if he would be able to send us the attached virus message. any ideas?...what type of virus is it? have you seen it? I will keep you post if we find out.. what it is..regards Luis Arango ______ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
