The latest version of MailScanner does a great job of checking filenames inside .zip files. When we upgraded MailScanner the number of new viruses to leak past the AV scanner dropped to zero. (Previous to this we were on the verge of quarantining all .zip attachments... shudder!)
Pierre Thomson BIC -----Original Message----- From: Tom Emerson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 30, 2004 6:15 AM To: [EMAIL PROTECTED] Subject: Semi-OT: Viral social engineering at it's finest... This actually scored fairly low in SA because it didn't do anything "spammy" [no opt-out links, embedded tags, onerous HTML, etc.] but then, SA "doesn't do" viruses :) so I'm not all that surprised. I only mention it here because of something alluded to in the thread "[EMAIL PROTECTED]: bounce 'no such user'" -- intentional bounces to catch the curious cats... In any case, it is one to watch for [or rather, to watch for your friends running "that rather susceptible system"] If it weren't so insidious, it would be pure beauty... It comes with the subject: "RE: Submit a virus sample" and purports to be FROM symantec. Ok, fair enough -- this might be a response you would get if you submitted something via an automated e-mail address and/or web form; doesn't raise any suspicion [other than the fact I've never in my life knowingly "submitted a sample" to an anti-virus site...] The text reads: The sample file you sent contains a new virus version of ... [I suspect the name is irrelevant, but in this case it was buppa.k.] Please update your scanner with the attached dat file [a .zip file...] and the icing on the cake is the name of the .zip file: signature_osnut.zip -- almost as if I were receiving a personalized "virus signature file", how quaint :) [can I drip any more sarcasm on this?] The zip file, of course, is one of those "double extension" jobs -- whatever.dat.scr -- with "a whole lot of spaces" before the final .scr. Almost makes me want to have a windows system around here to check it out upon... NOT! :) :) :) -- Top o' the Blog: Google Nirvana gone bye-bye? http://osnut.homelinux.net/mtblog/ya_index.html
