[Esd-l] Attachment of application.pif was not stripped

Mike McCandless michael at prismbiz.com
Sat Aug 23 18:52:23 PDT 2003

I checked the Web site, and read through the local rules.  I must admit I
need some help with where these get put in my procmailrc file, or how they
are referenced.  Also, your reply below talks about quarantining.  What if I
want to treat these emails as qualifying for stripping, not quarantining?

----- Original Message ----- 
From: "John D. Hardin" <jhardin at impsec.org>
To: "Mike McCandless" <michael at prismbiz.com>
Cc: <esd-l at spconnect.com>
Sent: Saturday, August 23, 2003 10:47 AM
Subject: Re: [Esd-l] Attachment of application.pif was not stripped

> On Sat, 23 Aug 2003, Mike McCandless wrote:
> > However, I'm confused about why the application.pif was not
> > stripped by the Sanitizer.  The user in question got plenty of
> > other .pif attachments, which were successfully stripped by the
> > Sanitizer.  Any ideas?
> The most likely possibility is that it's an older SoBig, one that
> delivered the attack wrapped in a .ZIP file. Check the website for the
> sample local-rules file that detects and quarantines this version.
> --
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   ...the Fates notice those who buy chainsaws...
>                                               -- www.darwinawards.com
> -----------------------------------------------------------------------
>    70 days until Matrix Revolutions

More information about the esd-l mailing list