Re: Re: Filtering sobig with postfix

["gregh" <chows () ozemail com au>]

> ----- Original Message ----- 
> From: vogt () hansenet com 
> To: madduck () madduck net ; full-disclosure () lists netsys com 
> Sent: Wednesday, August 20, 2003 11:27 PM
> Subject: AW: [Full-disclosure] Re: Filtering sobig with postfix


> > > /see attached file for details/ REJECT
> >
> > this incurs a factor 2-4 performance drop, and it could also elicit
> > false positives. you should definitely do more than just REJECT
> > (i.e. write out a message: s/REJECT/554 Suspected virus/).

> Agree, a message would be good.


Just wanted to mention that I have been testing a few Windows based anti spam progs for customers. Spamkiller has the 
ability to pick things out quite nicely that some others dont appear to do. I have found the Sobig emails all seem to 
have a header line in it with "Found to be clean" as a way to attempt to fool something or other that there is no virus 
attached to the email. Filtering on that header seems to keep them all out so far.

Noted the FROM header can be anyone, like other viruses have done in the past, from the infected system's email address 
book or possibly anywhere on the hard disk.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html