My *.com filter has been working too, but I don't do any file filtering in the SMTP scanner, just the Realtime scanner.
-Peter -----Original Message----- From: Robert T. Echols [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 13:53 To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose Antigen has been working with the *.com filter with no problem for me. -Robert -----Original Message----- From: Saul [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 12:39 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose After updating the Virus Definition files Antigen reported it as; Antigen for Exchange found www.myparty.yahoo.com infected with W32/MyParty-A (Sophos,McAfee4,CA(InoculateIT),CA(Vet)) worm. The message is currently Purged. The message, "new photos from my party!", was sent from user and was discovered in user\Outbox located at Company/First Administrative Group/Exchange Server. But before the update, the *.com filter didn't work. Wierd! Saul > And Trend reports it as: > > "WORM_MYPARTY.A" virus was found in attachment "www.myparty.yahoo.com", > ScanMail has moved the attachment to C:\Program Files\Trend\Smex\Virus. > > Paul Chinnery > Network Administrator > Mem Med Ctr > > > -----Original Message----- > From: John Matteson [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 3:24 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Maybe cause the payload looks like a weblink? > > When Nemix reports, it shows as: > =========== > The message contained 1 virus(es): > > www.myparty.yahoo.com infected with the [EMAIL PROTECTED] > virus > - - - > ======================= > > Your guess is as good as mine. > > John Matteson; Exchange Manager > Geac Corporate Infrastructure Systems and Standards > (404) 239 - 2981 > My toys! My toys! I can't do this job without my toys! > > > > -----Original Message----- > From: Saul [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 3:08 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > I am also blocking *.com on our SMTP Scan Job for Antigen but this > attachment slipped by. Luckily the user who got suspected something and > called us. I have updated the virus engines running on our Antigen but I > am curious why the attachment blocking didn't work? Any IDEAS? > > Saul > > > This one slipped by our *.com file matching as well... actually it's been > a > > little hit and miss... some were caught but others were not stopped until > we > > installed the defnition file--We're running Antigen with the Norman def. > > I'm still seeing weird stuff.... some seem to be getting through he IMC > scan > > and making it to the store and getting disinfected there. That's the > first > > time I've ever seen that. Very odd indeed. Most that are being caught > are > > by the virus definition--because generally we just get the *.com type > block > > message. Wonder what's going on here. > > > > Fortunately we run something different on the desktop--and it had updated > > through the night. > > > > Josh Harmon > > > > > > -----Original Message----- > > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 8:20 AM > > To: Exchange Discussions > > Subject: RE: Alert: W32/Myparty-mm on the loose > > > > > > Somehow this one slipped past our .com filter on our linux firewall. NAV > > for exchange caught it by the .COM extension, and norton had just > > liveupdated us an hour earlier with the new definitions that would have > > caught it if it wasn't a blocked extension. I think the syntax of the > > attachment code is probably not RFC compliant. > > > > Tom > > > > -----Original Message----- > > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 9:03 AM > > To: Exchange Discussions > > Subject: RE: Alert: W32/Myparty-mm on the loose > > > > > > Fortunately we're all blocking *.com right? The *.com viruses are going to > > take forever to combat from a social engineering standpoint. It's probably > > worth investing some time in user education on .com files because I think > > this is going to be a new favorite virus writing style for the next few > > months. > > > > Chris Scharff > > The Mail Resource Center > > http://www.mail-resources.com > > > > -----Original Message----- > > From: Martin Blackstone > > To: Exchange Discussions > > Sent: 1/28/2002 7:57 AM > > Subject: FW: Alert: W32/Myparty-mm on the loose > > > > > > > > -----Original Message----- > > From: Russ [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 5:45 AM > > To: [EMAIL PROTECTED] > > Subject: Alert: W32/Myparty-mm on the loose > > > > > > Be aware that this morning you will likely find a copy of this new mass > > mailer in your mail systems. This is a pure social engineering attack, it > > contains an attachment named as a URL with a .com extension. Since .com is > > also an application, it will be run as such if its double-clicked on. > Check > > with your AV company for updates and/or filtering criteria. If you can, be > > sure you have attachment filtering enabled at your mail gateway. Outlook > > Email Security Update, and Outlook 2002, both catch this attachment and > > prevent it from being available for the user to click on. > > > > Cheers, > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ______________________________________________ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
