[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]



 (Don't know anything about procmail, but thought this might help)

Noala
----- Original Message -----
From: "RaQ Manager" <cobalt@xxxxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Wednesday, November 28, 2001 6:48 AM
Subject: Re: [cobalt-users] Slightly OT: Blocking BadTrans virus


> > Thank you Jay. Funnily enough I actually took part several times in
the
> > thread you mention! However, the solution created by Colin J Raven
and
> > discussed there depends on looking for certain signature strings in
the
> body
> > of the email text. I may be missing something but if not I don't
think
> this
> > can be used to block BadTrans which attaches itself to any message
sent
> from
> > an infected client including those it sends by itself without the
user's
> > knowledge.
>
>
> Though I'm not familiar with the procmail filter if I understand
correctly
> you need some way to uniquely identify the offending Email. I've been
> flooded with infected Email the last two days so I started reading. I
found
> this on the Microsoft site:
>
> "If an attacker created an HTML e-mail containing an executable
attachment,
> then modified the MIME header information to specify that the
attachment was
> one of the unusual MIME types that IE handles incorrectly, IE would
launch
> the attachment automatically when it rendered the e-mail."
>
> I looked at all the headers for the infected Emails and they all had:
>
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="====_ABC1234567890DEF_===="
>
> None of the other Emails had this so perhaps it could be used in your
> filter.
>
> --
> WIN a Salt Lake 2002 Winter Games pin!...
> Visit http://www.ThingsToDo.com
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>