[pmmail-list] SirCam Virus Filtering Update

Maynard pmmail-list@blueprintsoftwareworks.com
Sat, 04 Aug 2001 17:25:40 -0500 (CDT)


Don't get so bent on this, Kris; and don't take it personally.
The fact that the AV community doesn't recognize the non-compliant
"date: " string header is not relevant.
While your ICSL filter catches all the body text and everything else
which is thought to be "defining" of SirCam at this time, it is
probably a whole not more CPU and time intensive than those more simple
filters in use by those of us who don't mind a possible "false
positive".
May I suggest that you set up the simple "date: " check after you've
trapped your SirCams, and see if it catches anything.
Everybody is trying to work together here, and nobody is intending to
offend you.
Folks on this list are appreciative of your contributions, and have
stated so.
I could just as easily send the SirCam through your filters, but that
would be _me_, not the worm, initiating the connection. The worm does
"date: " just as consistently as it does the other stuff.

Be happy.

	`~Maynard



On Sat, 04 Aug 2001 13:44:40 -0700 (PDT), Kris Sorem Sr wrote:

>On Fri, 03 Aug 2001 06:34:57 -0700, Dian Welle wrote:
>
>>I'll tell you what, I receive the worm 7-10 times each day, and this
>>simple filter has caught it 100% of the time for me, and never gotten a
>>false pos.... yet. 
>
>I am curious to know how you can make this statement. Have you checked
>_every_ message this filter _does not_ catch? If it were this simple,
>the anti-virus experts would have included it in their profiles. Maybe
>you should send them your suggestion. 
>
>Your simple filter does nothing more than check a message with an
>attachment for an uncapitalized header date. Any message with an
>attachment having an uncapitalized header date will be filtered whether
>it is a w32.sircam worm message or not. I can prove this to you by
>sending a message to you that _will be_ filtered but is not a
>w32.sircam message. That would be a false positive. Should I? I have
>been using ICSL filtering since its initial release with PMMail. Part
>of my job is to protect customers' systems. I have been doing this type
>of work for 27yrs. I offered a filter to this list that would as
>accurately as possible catch a w32.sircam message. While you use this
>simple filter, you will remain vulnerable to any w32.sircam message
>that has a capitalized header date and you _could_ filter messages that
>are _not_ w32.sircam messages.
>--
>JMO, 
>/s/~Kris
>-------------------------------+------------------------------------------
>
>
>
>- pmmail-list - The PMMail Dicussion List ---------------------------
>To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
>line of the message body being...
>UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com
>
>
>
>
>

- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com