-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ron Snyder writes: > > Ron, is this a worm, or spam? that's a MSIE exploit, from what > > I can find on the web. > > > > If it's spam, we need to enhance our HTML parser to pick up > > the "data" attribute as a href. if that's the case, could you > > open a bug on bugzilla.SpamAssassin.org? > > All of the samples I've captured make me think it's a worm that looks like > spam, or else the worm somehow replaced some routines on infected Windows > machines that the spammers are using. > > When I sent the email, I actually meant to send it to the clamav list, > because I suspected it was worm related, but didn't have any way to know for > sure. > > Even though it's a worm (I used lynx to go to the web site and see what gets > retrieved-- it's a 'page.hta' with instructions to then execute some visual > basic stuff), should a bug be opened anyway? Could spammers use this same > object data method to pull down the text of their spam, even if they're not > trying to execute code on your machine? I don't think so -- this is strictly speaking a worm, and a virus scanner is more appropriate to deal with that. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFArgSVQTcbUG5Y7woRAu1qAJ0fxBANNTyCsDsrghqLHCGbxQ9QOQCcCZfz kFfMokTItSUwvhmwe+hgAuU= =0SGb -----END PGP SIGNATURE-----
