Without offering up the exact how-to, I can point out that the SIZE test and a BODY CONTAINS combination would likely help in Declude JunkMail, and that you would have to stop banning RAR files in Declude EVA.
Judicious use of the SIZE test would help Gary to HOLD only small RAR files, whether encrypted or not. Meanwhile, a strategy of chasing BODY and SUBJECT lines in Declude JunkMail text filters would help to target this worm, as this family heavily recycles their own text. Using BODY CONTAINS Subject: yadda Fragments also helps to catch annoying blowback as your users get automatic responses from 3rd party email servers that naively believed the MAILFROM was not a fake. Andrew. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Wednesday, May 02, 2007 1:07 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] More info about encrypted RAR > virus and Declude failures > > Yes I apologize I only realized the next day (Saturday) that > this would not work because the message will be scanned if it > is under a HOLD or DELETE threshold. > > David > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gary Steiner > Sent: Wednesday, May 02, 2007 4:03 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] More info about encrypted RAR > virus and Declude failures > > I am confused as to how this would work, as BANEXT RAR in EVA > will hold those files regardless of the weight. > > Has anyone worked out a way to ban small RAR files that would > contain the virus, and pass large RAR files that most likely > would not? > > I'm trying to find a work around until Declude figures out > how to detect encrypted RAR files. Right now I'm banning all > RAR files, then have to go in and manually re-submit the > legitimate RAR files that my customers are sending. > > Gary > > > > -------- Original Message -------- > > From: "David Barker" <[EMAIL PROTECTED]> > > Sent: Friday, April 27, 2007 5:52 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] More info about encrypted RAR > virus and > > Declude failures > > > > You may be able to do something with the MSGSIZE test in > conjunction > > with AVAFTERJM ON eg. > > > > SIZE-10MB msgsize 10240 x > -50 0 > > > > David Barker > > VP Operations | Declude > > Your Email Security is our business > > O: 978.499.2933 x7007 > > F: 978.988.1311 > > E: [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Gary Steiner > > Sent: Friday, April 27, 2007 4:25 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] More info about encrypted RAR > virus and > > Declude failures > > > > It's not that difficult. The legitimate messages with rar > attachments > > are big (usually 10MB and up) so it's not hard to separate > them from > > the image spam and common viruses being held in the virus directory. > > > > As mentioned by Craig in an earlier post, it would be nice > if Declude > > added the capability to skip banning on files of large size. > > > > > > > > -------- Original Message -------- > > > From: "John T \(lists\)" <[EMAIL PROTECTED]> > > > Sent: Friday, April 27, 2007 3:56 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] More info about encrypted > RAR virus and > > > Declude failures > > > > > > > Until Declude resolves the issue with BANEXT EZIP, I've > had to ban > > > > all rar files. Unfortunately some of my customers > regularly send > > > > rar attachments, so I've had to check the virus hold > directory on > > > > a regular basis and manually resubmit any false positives there. > > > > > > > > Gary > > > > > > Instead of manually checking for legit files, use the BANEXT.eml > > > file to send a postmaster message that you get and/or the > recipient > > > and/or sender get and that notice can be reviewed a lot > easier than > > > manually checking the hold directory. > > > > > > John T > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
