I just got an email in my inbox with a file attachment called:
Beethoven's_Symphony_No.XP2002.Zip.scr
I looked as the eml file, and the attachment is referenced there as:
Content-Type: application/octet-stream; Name =
"Beethoven's_Symphony_No.XP2002.Zip.scr"
Content-Transfer-Encoding: Base64
Content-Disposition: attachment; FileName =
"Beethoven's_Symphony_No.XP2002.Zip.scr"
My question is, why is this being passed by Declude virus? I have the following
lines in my virus.cfg:
BANEXT scr
..
BANZIPEXTS ON
I cannot find the string "Beethoven" at all in my virus log files, which
typically contains file names that were scanned. The logs make it seem as if
other SCR files are getting blocked, such as this line for another message:
02/24/2005 00:09:34 Q618d326e00fe66d1 Invalid SCR Vulnerability
02/24/2005 00:09:34 Q618d326e00fe66d1 Banning file with scr extension
[audio/x-wav].
I'm having some trouble locating this message in my logs. The logs appear to
identify messages by the Q* file name, which is not carried over into the
delivered message headers. Is there a way to insert that identifier in the
message header? How about recording X-UIDL or Message-Id in the log file?
Thanks!
-Chase
Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440
x119 | www.bullhorn.com
