From: Aj <abo...@pa...> - 2004-01-28 15:19:11
|
It might be a bit too broad, but the subject of the NOVARG/Mydoom virus is always "test" so you could use "Subject: test". The attachment name can be variable, so that doesn't help :/. But it does appear the multi-part boundary is partially hardcoded from the information here: http://www.math.org.il/newworm-digest1.txt So maybe we could use "_NextPart_" as the expression? Aj > Received: from 24.95.236.99 ([24.95.236.99] helo=pgsearch.com) by > PTI-ASSP-nospam ; 28 Jan 04 03:27:24 -0000 > From: gr...@pg... > To: abo...@pa... > Subject: test > Date: Tue, 27 Jan 2004 22:28:22 -0500 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0007_C65206E7.CFD9BB56" > X-Priority: 3 > X-MSMail-Priority: Normal > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0007_C65206E7.CFD9BB56 > Content-Type: text/plain; > charset="Windows-1252" > Content-Transfer-Encoding: 7bit > > > > > ------=_NextPart_000_0007_C65206E7.CFD9BB56 > Content-Type: application/octet-stream; > name="data.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="data.zip" On 28 Jan 2004 at 10:02, Donpro wrote: > What was the expression you used? > > > -----Original Message----- > > From: ass...@li... > > [mailto:ass...@li...] On Behalf Of > > Matthyw Thomas > > Sent: Wednesday, January 28, 2004 9:53 AM > > To: ass...@li... > > Subject: Re: [Assp-user] Attachments. > > > > > > Does the whitelist supercede this? I've tried this out but > > it looks like whitelisted users can send messages anyhow. > > > > Matthyw Thomas BSc.Eng > > Project Engineer > > BMT Fleet Technology Limited > > 311 Legget Drive > > Kanata, Ontario, Canada > > K2K 1Z8 > > Tel: +1 613 592-2830 ext. 341 > > Fax: +1 613 592-4950 > > mt...@fl... > > > > >>> jh...@cp... 01/27/04 09:33PM >>> > > I'd put something to identify the virus in the "expression to > > identify mailbombs" and change the mailbomb message to be > > "appears to be infected with a virus" > > > > j > > ----- Original Message ----- > > From: "Wil McGilvery" <wmc...@ly...> > > To: <ass...@li...> > > Sent: Tuesday, January 27, 2004 7:09 AM > > Subject: [Assp-user] Attachments. > > > > > > We are starting to see zip files arriving with viruses > > inside. I want to block these, but It appears that it doesn't > > work this way. I tried to put readme.zip in the list with the > > rest of the attachments, but any test message I sent made it through. > > > > Is there a way to use entire file names so I can block > > certain zip files and not others? > > > > Regards, > > > > Wil McGilvery > > Manager > > Lynch Digital Media Inc > > |