That email is itself a virus, named variously Sober.N, Sober.O or Sober.P . It inserts the second-to-last part of the domain name in the faked anti-virus line.
Among about 400 copies of the viruses we received last night, we got 5 or 6 with a truncated 89-byte attachment that passed the virus scanner. But they all got caught by SpamAssassin, using mostly stock 2.64 rules and an old vbounce.cf add-on rule set. Pierre Thomson BIC -----Original Message----- From: Ronald I. Nutter [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 9:13 AM To: users@spamassassin.apache.org Subject: First attempt at writing SPAM rules We are getting flooded this morning with email that contains the following item(s) in the body of the message - *** Server-AntiVirus: No Virus (Clean) *** "GEORGETOWNCOLLEGE" Anti-Virus *** http://www.georgetowncollege.edu OR *** Attachment-Scanner: Status OK *** "GEORGETOWNCOLLEGE" Anti-Virus *** http://www.georgetowncollege.edu Here is that I have created as a rule set - body BOGUS_SERVER_AV /Server-AntiVirus:/ describe BOGUS_SERVER_AV Blocks Bogus AV Clean message score BOGUS_SERVER_AV 20.0 body BOGUS_ATTACH_SCAN /Attachment-Scanner:/ describe BOGUS_ATTACH_SCAN Blocks Bogus Attach Scan message score BOGUS_ATTACH_SCAN 20.0 Any suggestions ? Thanks, Ron -------------------------------------------------------------------- Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services (502)863-7002 Georgetown College Georgetown, KY 40324-1696 --------------------------------------------------------------------
