[Esd-l] Badtrans as nauseam (Was: badtrans ad infinitum)

Brett Glass brett at lariat.org
Wed Nov 28 11:38:01 PST 2001

At 07:49 AM 11/28/2001, John D. Hardin wrote:
>My quarantine overfloweth.
>Does anybody know BillG's email address so we can all do something
>useful with these damned things?

It's billg at microsoft.com. 

And the problem will get worse. Sircam was prevalent enough, and it 
did not infect unless the recipient launched an attachment. Badtrans
doesn't require that, and is also an autoresponder. It therefore is 
likely to be the most widespread worm yet. Thank <insert name of
deity of your choice> that it doesn't have a destructive payload
(like Magistr) and does not obscure the address of the infected
party (like Hybris). I'm concerned that later mutations WILL do
these things, which is why I want multiple filters and recipes
in place. (Still need to learn how to do a recipe that compares
the envelope "From" address and the From: header.)

--Brett Glass

