From: Robert <ro...@dr...> - 2004-01-28 15:36:10
|
Aj, Just to correct you, but I've seen most of the Subject Lines listed in = the SARC writeup, and it's not always "test". Here they are, as per the writeup: I've seen all of them except for the "hi" one as of yet. = Don't assume that only "test" is the subject, it's not. From: May be a spoofed from address Subject: (one of the following)=20 test=20 hi=20 hello=20 Mail Delivery System=20 Mail Transaction Failed=20 Server Report=20 Status=20 Error Message: (one of the following)=20 Mail transaction failed. Partial message is available.=20 The message contains Unicode characters and has been sent as a binary attachment.=20 The message cannot be represented in 7-bit ASCII encoding and has been = sent as a binary attachment. Attachment: (one of the following)=20 document=20 readme=20 doc=20 text=20 file=20 data=20 test=20 message=20 body -------------------------------------------------------------------------= --- ---- Notes:=20 The attachment may have TWO suffixes (file.htm.pif for example). If so, = the first suffix will be one of the following:=20 .htm=20 .txt=20 .doc The worm will ALWAYS end with one of the following suffixes:=20 .pif=20 .scr=20 .exe=20 .cmd=20 .bat=20 .zip (A zip attachment will contain a copy of the worm which shares the = same filename as the .zip. For example, readme.zip will contain readme.pif) If the worm has an extension of .exe or .scr, the file will be displayed with the pseudo-notepad icon. Otherwise it will use the icon appropriate = to the corresponding file type. -----Original Message----- From: ass...@li... [mailto:ass...@li...] On Behalf Of Aj Sent: January 28, 2004 10:19 AM To: ass...@li... Subject: RE: [Assp-user] Attachments. It might be a bit too broad, but the subject of the NOVARG/Mydoom=20 virus is always "test" so you could use "Subject: test". The=20 attachment name can be variable, so that doesn't help :/. But it=20 does appear the multi-part boundary is partially hardcoded from the=20 information here: http://www.math.org.il/newworm-digest1.txt So maybe we could use "_NextPart_" as the expression? Aj > Received: from 24.95.236.99 ([24.95.236.99] helo=3Dpgsearch.com) by > PTI-ASSP-nospam ; 28 Jan 04 03:27:24 -0000 > From: gr...@pg... > To: abo...@pa... > Subject: test > Date: Tue, 27 Jan 2004 22:28:22 -0500 > MIME-Version: 1.0 > Content-Type: multipart/mixed; =20 > boundary=3D"----=3D_NextPart_000_0007_C65206E7.CFD9BB56" > X-Priority: 3 > X-MSMail-Priority: Normal >=20 > This is a multi-part message in MIME format. >=20 > ------=3D_NextPart_000_0007_C65206E7.CFD9BB56 > Content-Type: text/plain; > charset=3D"Windows-1252" > Content-Transfer-Encoding: 7bit >=20 >=20 >=20 >=20 > ------=3D_NextPart_000_0007_C65206E7.CFD9BB56 > Content-Type: application/octet-stream; > name=3D"data.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename=3D"data.zip" On 28 Jan 2004 at 10:02, Donpro wrote: > What was the expression you used? >=20 > > -----Original Message----- > > From: ass...@li... > > [mailto:ass...@li...] On Behalf Of=20 > > Matthyw Thomas > > Sent: Wednesday, January 28, 2004 9:53 AM > > To: ass...@li... > > Subject: Re: [Assp-user] Attachments. > >=20 > >=20 > > Does the whitelist supercede this? I've tried this out but > > it looks like whitelisted users can send messages anyhow. > >=20 > > Matthyw Thomas BSc.Eng > > Project Engineer > > BMT Fleet Technology Limited > > 311 Legget Drive > > Kanata, Ontario, Canada > > K2K 1Z8 > > Tel: +1 613 592-2830 ext. 341 > > Fax: +1 613 592-4950 > > mt...@fl... > >=20 > > >>> jh...@cp... 01/27/04 09:33PM >>> > > I'd put something to identify the virus in the "expression to > > identify mailbombs" and change the mailbomb message to be=20 > > "appears to be infected with a virus" > >=20 > > j > > ----- Original Message ----- > > From: "Wil McGilvery" <wmc...@ly...> > > To: <ass...@li...> > > Sent: Tuesday, January 27, 2004 7:09 AM > > Subject: [Assp-user] Attachments. > >=20 > >=20 > > We are starting to see zip files arriving with viruses > > inside. I want to block these, but It appears that it doesn't=20 > > work this way. I tried to put readme.zip in the list with the=20 > > rest of the attachments, but any test message I sent made it = through. > >=20 > > Is there a way to use entire file names so I can block > > certain zip files and not others? > >=20 > > Regards, > >=20 > > Wil McGilvery > > Manager > > Lynch Digital Media Inc > >=20 ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Assp-user mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-user |