Below is my current list of rules running on V 7.05 on a Win 2000 server. They do very well filtering out most harmful attachments, both inbound and outbound. I know I should drop Declude and F-protect on my system, and I will. The last rule I set up to get the latest virus prevents anyone from sending the subject line "Re: Your password!" to anyone at my domain BUT doesn't prevent it from being sent OUT from my domain. So in theory, someone could get this virus on their computer where they have outlook set-up with multiple e-mail address and it could still read my domain from the registry keys and send out from my domain. IS there any reason why this rule is only working one way? Can I stop it from sending out?
Marc B~(name=".*.vbs"\s|name=".*\.shs"\s|name=".*\.scr"\s|name=".*\.pif"\s|name=" .*\.bat"\s|name=".*\.exe"\s|name=".*\.data"\s|name=".*\.lnk"\s|name=".*\.unk "\s|name=".*\.com"\s):NUL B~(begin 6=".*.vbs"\s|begin 6=".*\.shs"\s|begin 6=".*\.scr"\s|begin 6=".*\.pif"\s|begin 6=".*\.bat"\s|begin 6=".*\.exe"\s|begin 6=".*\.data"\s|begin 6=".*\.lnk"\s|begin 6=".*\.unk"\s|begin 6=".*\.com"\s):NUL F~[EMAIL PROTECTED]:NUL B~(filename=".*.vbs"\s|filename=".*\.shs"\s|filename=".*\.scr"\s|filename=". *\.pif"\s|filename=".*\.bat"\s|filename=".*\.exe"\s|filename=".*\.data"\s|fi lename=".*\.lnk"\s|filename=".*\.unk"\s|filename=".*\.com"\s):NUL F~[EMAIL PROTECTED]:NUL S~Re:your password:NUL S~Re: Your password!:NUL S~(Re: Your password!):NUL -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Leske Sent: Monday, July 15, 2002 10:25 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] FYI NEW VIRUS You're quite welcome Sean, Good job on the addition of the filter and if you need a copy of our rules.ima, kill.lst, and smtpd32.acc files please let me know Off Topic (OT). You really should consider an AV solution - most viruses that cripple corporations have been introduced via email. We use Declude with the F-Prot for Dos and I can't give them enough praise. 80% of our email is what I have coined "SPorn" (Spam and Porn) of which about 10% of that is virus infected. My OT email is [EMAIL PROTECTED] Regards, ~Rick Sean P. Malone wrote: > Even more fundamental, wouldn't Imail's built-in, Inbound mail filtering capabilities achieve the task of redirecting infected email carriers to a location other than the end-user's inbox? > > I say this because we do not yet license the Declude software but are interested in evaluating it in our environment. In the interim, we've had to do the best with what we've got! > > We introduced an inbound rule that redirects any message (at least so it seems) with "your password!" in the subject heading to an alternate, administrative mailbox (web messaging) for review. > > I am currently looking at about inbound 50 messages that seem to be propogating the worm. Had we not filtered, these messages would have gone right to our end-users. > > However, had the existence of the new worm not been mentioned on the list, I would not have created the rule. > > Thanks for posting recent, high-distribution virus alerts to the Imail list! > > Sean Malone > University of Dallas > > ---------- Original Message ---------------------------------- > From: "Sharyn Schmidt" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Mon, 15 Jul 2002 13:42:46 -0400 > > >>Wouldn't blocking .exe files accomplish the same thing? >> >>Sharyn >> >> >> >>>Also noted is that Declude Virus is catching this as follows: >>> >>>Declude Virus v1.55 caught the [Outlook 'MIME Header' Vulnerability] >>>virus in decrypt-password.exe from ... >>> ___________________________________________________________________ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
