On Sun, May 17, 2009 at 17:28, Bill Landry <b...@inetmsg.com> wrote: > Kurt Buff wrote: >> On Sun, May 17, 2009 at 16:23, Bill Landry <b...@inetmsg.com> wrote: >>> I'm not sure the purpose is of this kind of email, as the links are not >>> clickable, even though they appear to be. The message scored high, but >>> wondering what others think about this one: >>> >>> http://pastebin.com/m74dd8503 >>> >>> Is it simply a poorly written piece of vbscript that could be dangerous >>> if done right? >>> >>> Bill >> >> The clsid is a dead giveaway, and pretty dang old: >> >> http://isc.sans.org/diary.html?storyid=3324 >> >> Don't know why clamav didn't catch it - I know you're running that... > > Hey Kurt, > > ClamAV did catch the email, but it was with one of the 3rd-party > signatures (Sanesecurity) that flagged it. I've got amavisd set to not > quarantine some messages and instead pass them onto Spamassassin for > scoring and bayes training. > > Bill
That's just as surprising! I'd certainly expect clamav to catch a reference to *any* clsid in an attachment or inlined in a message nowadays. Kurt
