-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[EMAIL PROTECTED]">mid:[EMAIL PROTECTED]>, Daniel Van Rooijen [Copycats] [DVR] wrote:
DVR> Yes, but Allie, those infected attachments are referenced in the DVR> header by the strings that Mitja defined. It's for those DVR> references that Mitja was setting up a filter. DVR> Looking at the source of some infected messages that just came DVR> in, I find strings like: "name=Rescue.bat" and "name=Wyugm.pif". That's the message source you're looking at. I'm saying that TB! doesn't search the message source (I gave the likely reason why), it searches the headers and the message body. Take my eicar test message: The content header says: Content-Type: multipart/mixed; boundary="----------D3A45B2109AEC0" No reference to the virus name there. Now, on examination of the source, if I look *after* the message body where TB! doesn't search, I see: ,-----[ begin ]----->> | | ------------D3A45B2109AEC0 | Content-Type: application/octet-stream; name="<virus name>" | Content-Transfer-Encoding: base64 | Content-Disposition: attachment; filename="<virus name>" | | '-----[ end ]-----|| and this is followed by the attachment. TB!'s filtering doesn't search these parts of the source. I had to remove the virus name since the listserver returned my message thinking it was infected. ;-) - -- -=Allie C Martin=- List Moderator | TB! v1.60q | Windows XP Pro PGP/GPG Public Key: mailto:[EMAIL PROTECTED]?Subject=2B0717E2 _________________________________________________________________ -----BEGIN PGP SIGNATURE----- iD8DBQE9Bz05V8nrYCsHF+IRAkPqAKCfA0UUw9dkkgqrTK+aAICYO2kX8QCeJM8R SGH5gR2DVepO2uLalrUElyM= =SJBO -----END PGP SIGNATURE----- ________________________________________________________ Current Ver: 1.60q FAQ : http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED] Bug Reports: https://bt.ritlabs.com
