Re: [cobalt-users] Slightly OT: Blocking BadTrans virus

["RaQ Manager" <cobalt@xxxxxxxxxxxxxxxxx>]

> Thank you Jay. Funnily enough I actually took part several times in the
> thread you mention! However, the solution created by Colin J Raven and
> discussed there depends on looking for certain signature strings in the
body
> of the email text. I may be missing something but if not I don't think
this
> can be used to block BadTrans which attaches itself to any message sent
from
> an infected client including those it sends by itself without the user's
> knowledge.


Though I'm not familiar with the procmail filter if I understand correctly
you need some way to uniquely identify the offending Email. I've been
flooded with infected Email the last two days so I started reading. I found
this on the Microsoft site:

"If an attacker created an HTML e-mail containing an executable attachment,
then modified the MIME header information to specify that the attachment was
one of the unusual MIME types that IE handles incorrectly, IE would launch
the attachment automatically when it rendered the e-mail."

I looked at all the headers for the infected Emails and they all had:

Content-Type: multipart/related;
	 type="multipart/alternative";
	 boundary="====_ABC1234567890DEF_===="

None of the other Emails had this so perhaps it could be used in your
filter.

--
WIN a Salt Lake 2002 Winter Games pin!...
Visit http://www.ThingsToDo.com