Hello Jonathan,
JA> ... about a month after Klez started hitting hard, we got about JA> 10 from the same reply-to address, I emailed, then ran through JA> our customer database, and called that problem, and they JA> acknowledged that they were infected, and that her PC had been JA> taken away by her tech department. I guess that could be an JA> extreme example, but it sometimes happens. Since all of these scenarios are feasible, it's clearly better not to generalize or jump to conclusions (which I find I do more late at night when I'm tired or still wound up tight after an energetic day). >> The supervisor didn't bother to reply either, but they MAY be >> implementing my suggestion. The only way to find out is to >> inactivate my own Kill filter and take note. If the messages begin >> appearing on the Mail Dispatcher again, we know that the TB! >> Selective Download (Kill) filter is doing the job before it >> downloads the headers (I have mine set for 25 lines). JA> You may want to try contacting the abuse@ for that domain, see if they respond, JA> or if it is in the local area, drop them a call to the support staff, they may JA> be able to direct you further. The domain is prodigy.net.mx, which belongs to the national phone company, which has installed thousands of nodes and provides computers on credit along w/ Internet access. IOW, the source of the virus (if the reply to address really is a reliable indicator) is on the same domain as my own Internet access provider, along with most of the rest of those that use the Internet in Mexico. As for getting an effective response, there's a saying: "cada cabeza es un mundo" (every head is a world), meaning that the quality of the attention given can vary greatly and I have not had much good luck when dealing with those at the supervisory levels of prodigy.net.mx, which is owned by Telmex which in turn is owned by Carlos Slim Helu, who also bought Sears Mexico and thus acquired Prodigy here. Since buying Telmex (the national local and long distance service provider which was privatized), Carlos Slim Helu has become the richest man in Latin America. He bought and recently sold CompUSA, also (for instance), Aside from paying the rent, there's a flat rate charge on all outgoing calls, be they local or "toll free" or via a different long distance service provider. I could go on, but this is clearly an OT theme. >> Otherwise, the developers could tell us what is happening JA> I guess there is one sure fire way... setup just a temporary filter, that you JA> know will only match something you send yourself, like put in a really obscure JA> string in the body, setup a selective download filter to match that, activate JA> it, mail it to yourself, and test. What I did was put the virus messages "reply to" string in the "Subject" of my message. I had already configured the filter for kludges. JA> Of course, chances are Tom is correct, He was correct regarding how to set up an experiment (so were you), but the messages are not killed when being downloaded but rather, configured for "deletion w/o download" on the mail dispatcher. JA> and the mail dispatcher is displaying all messages before JA> downloading It does. JA> which is when the selective download filter works. No, when we see them they are already configured for deletion w/o being downloaded. The filter simply unchecks the Receive box, while the message is still on the server (idle looping). JA> But the way I look at it is to get the mail dispatcher to work, JA> TB has to read all the mails anyway, and in doing so, is JA> technically downloading the mail. It must be doing so to a temporary file, but the virus are in the attachments (the name of which shows on the headers). Douglas ________________________________________________________ Current Ver: 1.60q FAQ : http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED] Bug Reports: https://www.ritlabs.com/bt/