[pmmail-list] Filter for newest virus
Allan McLane
pmmail-list@blueprintsoftwareworks.com
Tue, 27 Nov 2001 09:35:11 -0500
Here is part of a message that contained the Badtrans virus that we received at the ISP I provide support for. Every one so far seems to share these two characteristics: aol.com as the hostname and an underscore as the leading character in the From address.
========
Received: from aol.com (arc8a115.bf.sover.net [209.198.83.116])
by mailgate1.sover.net (8.11.6/8.11.6) with SMTP id fAR1R6L04517
for <support@sover.net>; Mon, 26 Nov 2001 20:27:07 -0500 (EST)
Date: Mon, 26 Nov 2001 20:27:07 -0500 (EST)
Message-Id: <200111270127.fAR1R6L04517@mailgate1.sover.net>
From: "Tod Murphy" <_tmurphy@xxx.com>
======
Maybe you can craft a filter with an AND on these two items.
--allan
On Tue, 27 Nov 2001 06:24:05 -0800, Kenneth Porter wrote:
>http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@m
>m.html
>
>Anyone got a filter for this? I'm seeing it weighing in at about 40k
>for each message, and no body, just the attachments. I'm thinking
>something like subject of "Re:", empty body, and size from 38k to 42k
>(to allow for variation in headers).
>
>Ken
>mailto:shiva@well.com
>http://www.sewingwitch.com/ken/
>[If answering a mailing list posting, please don't cc me your reply. I'll take my answer on the list.]
- pmmail-list - The PMMail Dicussion List ---------------------------
To POST to the list, send your message to:
pmmail-list@blueprintsoftwareworks.com
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com
---------------------------------------------------------------------