RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

2003-10-07 Thread Karen D. Oland 
We get those too -- they test "clean" and pass thru the A/V portion. We
catch them  with rules similar to yours.  Along with the undeliverable mail
reject messages and "you have a virus" messages from other postmasters
(which is why I think it forges addresses quite a bit, since we do not have
any infected machines and have not sent any out from here).  Quite a few,
however, now get caught with other viruses in them (but the same text as
SWEN and same attachment name).

Karen

> -Original Message-
> From: John Tolmachoff
>
> And here, all this time, I thought it was corrupt or uncomplete
> versions of
> Swen.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

2003-10-07 Thread Karen D. Oland 
Also, make sure you scan ZIP files (many people don't)

> -Original Message-
> From: Robert Grosshandler
> 
> John provided a great filter, since fprot and Norton didn't see 
> the probably corrupt virus.
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

2003-10-07 Thread Robert Grosshandler 
John provided a great filter, since fprot and Norton didn't see the probably
corrupt virus.

Thanks.

Rob


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

2003-10-07 Thread John Tolmachoff \(Lists\) 
And here, all this time, I thought it was corrupt or uncomplete versions of
Swen.

I have a force hold test in JM.

Here is the filter file I have:

HEADERS 0   CONTAINS@technet.msdn.net
HEADERS 0   CONTAINSMicrosoft Corporation Program Security
HEADERS 0   CONTAINS@technet.net
HEADERS 0   CONTAINSLatest Net Critical Upgrade
SUBJECT 0   CONTAINSLast Net Security Patch
SUBJECT 0   CONTAINSCurrent Network Update
SUBJECT 0   CONTAINSNewest Network Security Pack
SUBJECT 0   CONTAINS{VIRUS?}
SUBJECT 0   CONTAINSCurrent Microsoft Patch
SUBJECT 0   CONTAINSMicrosoft Security Pack
SUBJECT 0   CONTAINSNet Pack
SUBJECT 0   CONTAINSNew Critical Update
SUBJECT 0   CONTAINSNew Net Upgrade
SUBJECT 0   CONTAINSLast Internet Critical Update
SUBJECT 0   CONTAINSCurrent Security Update
SUBJECT 0   CONTAINSInternet Update
SUBJECT 0   STARTSWITH  Bug Report
SUBJECT 0   CONTAINSLast Net Patch
SUBJECT 0   CONTAINSNew Patch
SUBJECT 0   CONTAINSLatest Critical PacK
SUBJECT 0   CONTAINSinternet critical update
SUBJECT 0   CONTAINSNew Internet Patch
SUBJECT 0   CONTAINSAbort Advice
SUBJECT 0   CONTAINSMicrosoft Pack
SUBJECT 0   CONTAINSAbort Message
SUBJECT 0   CONTAINSLast Net Pack
SUBJECT 0   CONTAINSLast Internet Update
SUBJECT 0   CONTAINSbug letter
SUBJECT 0   CONTAINSNew Net Critical Patch
SUBJECT 0   CONTAINSLatest Network Security Pack
SUBJECT 0   CONTAINSLast Update
SUBJECT 0   CONTAINSMicrosoft Critical Upgrade

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: Tuesday, October 07, 2003 7:59 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Obvious spam not failing my tests,
suggestions?
> suggestions?
> 
> 
> >The following headers tell the story.  Anything I should be adding to add
> >weight to this?  It didn't trigger Sniffer or Alligate, but that's a
> >different issue. The mailbox it was sent to was harvested from usenet,
fwiw.
> 
> This is actually a virus:
> 
> >FROM: "Microsoft Network Security Section" <[EMAIL PROTECTED]>
> >TO: " " <[EMAIL PROTECTED]>
> >SUBJECT: New Internet Security Pack
> >Mime-Version: 1.0
> >Content-Type: multipart/mixed; boundary="gkxrxour"
> >Message-Id: <[EMAIL PROTECTED]>
> >Date: Mon, 6 Oct 2003 08:33:57 +1300
> 
> This appears to be W32/Harmony.A.
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.