For what it's worth, MailSweeper for SMTP just looks at the last extension -- it's caught two copies of MyParty so far here without any difficulty.
Aloha, -Ben- Ben M. Schorr, MVP-Outlook, CNA, MCPx3 Director of Information Services Damon Key Leong Kupchak Hastert http://www.hawaiilawyer.com > -----Original Message----- > From: Harmon, Josh [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 1:28 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > I was thinking that might be the problem... BUT > > Would that take care of *.*.*.*.com files? If that's really > the issue, this is something that Sybari needs to address > from a coding standpoint in my opinion. *.com should kill > anything that ends in *.com. Or is it up to me to guess how > many 'dot' separators the next virus will use? Josh > > -----Original Message----- > From: Kemppel, Charlean [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 5:13 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > I have *.com filtered on the Internet & Real-time engines on > my IMC & it slipped in as well; I actually spoke to a > support guy @Sybari & he suggested that since the file had > multiple "." Antigen saw the extension as > .myparty and ignored the rest. Sybari suggested using a > filter of *.*.com > to capture multiple extension files. > > -----Original Message----- > From: David Weinstein [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 4:57 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > I am running Antigen as well - this slipped by my .com filter > as well - > > -----Original Message----- > From: Saul [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 2:08 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > I am also blocking *.com on our SMTP Scan Job for Antigen but > this attachment slipped by. Luckily the user who got > suspected something and called us. I have updated the virus > engines running on our Antigen but I am curious why the > attachment blocking didn't work? Any IDEAS? > > Saul > > > This one slipped by our *.com file matching as well... actually it's > > been a little hit and miss... some were caught but others were not > > stopped until we installed the defnition file--We're > running Antigen > > with the Norman def. I'm still seeing weird stuff.... some > seem to be > > getting through he IMC scan and making it to the store and getting > > disinfected there. That's the first time I've ever seen > that. Very > > odd indeed. Most that are being caught are by the virus > > definition--because generally we just get the *.com type block > > message. Wonder what's going on here. > > > > Fortunately we run something different on the desktop--and it had > > updated through the night. > > > > Josh Harmon > > > > > > -----Original Message----- > > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 8:20 AM > > To: Exchange Discussions > > Subject: RE: Alert: W32/Myparty-mm on the loose > > > > > > Somehow this one slipped past our .com filter on our linux firewall. > > NAV for exchange caught it by the .COM extension, and > norton had just > > liveupdated us an hour earlier with the new definitions that would > > have caught it if it wasn't a blocked extension. I think > the syntax > > of the attachment code is probably not RFC compliant. > > > > Tom > > > > -----Original Message----- > > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 9:03 AM > > To: Exchange Discussions > > Subject: RE: Alert: W32/Myparty-mm on the loose > > > > > > Fortunately we're all blocking *.com right? The *.com viruses are > > going to take forever to combat from a social engineering > standpoint. > > It's probably worth investing some time in user education on .com > > files because I think this is going to be a new favorite > virus writing > > style for the next few months. > > > > Chris Scharff > > The Mail Resource Center > > http://www.mail-resources.com > > > > -----Original Message----- > > From: Martin Blackstone > > To: Exchange Discussions > > Sent: 1/28/2002 7:57 AM > > Subject: FW: Alert: W32/Myparty-mm on the loose > > > > > > > > -----Original Message----- > > From: Russ [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 5:45 AM > > To: [EMAIL PROTECTED] > > Subject: Alert: W32/Myparty-mm on the loose > > > > > > Be aware that this morning you will likely find a copy of this new > > mass mailer in your mail systems. This is a pure social engineering > > attack, it contains an attachment named as a URL with a .com > > extension. Since .com is also an application, it will be > run as such > > if its double-clicked on. Check with your AV company for updates > > and/or filtering criteria. If you can, be sure you have attachment > > filtering enabled at your mail gateway. Outlook Email > Security Update, > > and Outlook 2002, both catch this attachment and prevent it > from being > > available for the user to click on. > > > > Cheers, > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
