But once upon a time there were viruses that attached themselves to legit messages (remember happy99?), and the best choice there is to remove the infected attachment and pass the rest of the message along.
I know I'm not the only one keeps a list of known mass-mailers in order to decide whether to discard the attachment or the whole message. But I have to keep updating that list, and I have to wonder: is it worth making this distinction anymore?
I found some virus naming conventions add "@mm" or "@MM" to the end to indicate a mass mailer, or "Worm." to the beginning to indicate, well, a worm. I've added these strings to the list, so whether Novarg gets caught by File::Scan as W32/[EMAIL PROTECTED] or by ClamAV as Worm.SCO.A, it gets discarded even without me adding Novarg, Mydoom and SCO to the list.
Any thoughts?
Kelson Vibber
SpeedGate Communications <www.speed.net>
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
