> Do you have header/body checks that reject executable attachments? Right > now I don't have any AV scanning on either of my IMGate or Imail boxes. So > far, the executable test has been trapping everything like this snippet..
Been killing those for years. > I do allow zips, but so far nobody has received any unexpected zip > attachments. >From the SARC page on Netsky.C --- Attachment: [EMAIL PROTECTED] will create a .zip file as the attachment for 51.5% of the time, randomly selecting one of the Attachment Names below. The archive contains an executable copy of the worm, which also randomly selects the Attachment Names below. There is a 25% chance that the attachment name will be constructed as follows: attachment_attachment (e.g. document_msg). For the remaining time, the worm uses a copy of itself as the attachment, and randomly selects one of the Attachment Names below. --- http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] So I am quite surprised you have not seen any zips since over half the Netsky.C distribution is done that way. I did run into an interesting one recently as a byproduct of a forged send by a virus. One of our users was complaining about the bounce. Well, they thought it was something we were bouncing that was sent to him. The truth was the other system had bounced a virus, and he saw the results. All very typical. The difference was in the bounce message. It turns out their system was configured to reject all executable forms, and all archives that it can open. So the only way to email them a compressed file is to password protect it so that their virus scanner can not open it. Talk about an extreme policy, but I can see the reasoning behind it. --Eric
