[Esd-l] Re: [Esa-l] Sanitizer rule for Novarg .ZIP attack
Tristan Griffiths
tristan.griffiths at stomp.com.au
Thu Jan 29 14:20:07 PST 2004
We've been caught out by those ones too. I'm wishing someone had pointed
me in the direction of http://www.clamav.net/ earlier. Combine Clam AV
with Sendmail Milter and there's the solution to the .zip attachment
problem. Still using the Email sanitizer just in case the virus scanning
fails.
We've captured 4000+ Virus E-mails (mostly MyDoom) since I setup Clam AV
24 hours ago.
Has anyone else noticed the behavior of the worm where it is sending to
what seems a dictionary or names in the one domain? Like 'bob at stomp',
'fred at stomp', 'joe at stomp', etc...?
Simon Matthews wrote:
> John, and others,
>
> I've seen a few copies of a variant that has no subject, no text (to
> be more accurate, it claims to have to have a section that uses
> Windows-1252 charset, but it's empty), just a zip file attachment.
> Any suggestions on filtering? Anyone want to see a copy?
More information about the esd-l
mailing list