[Esd-l] Re: [Esa-l] Sanitizer rule for Novarg .ZIP attack

Tristan Griffiths tristan.griffiths at stomp.com.au
Thu Jan 29 14:20:07 PST 2004

We've been caught out by those ones too. I'm wishing someone had pointed 
me in the direction of http://www.clamav.net/ earlier. Combine Clam AV 
with Sendmail Milter and there's the solution to the .zip  attachment 
problem. Still using the Email sanitizer just in case the virus scanning 

We've captured 4000+ Virus E-mails (mostly MyDoom) since I setup Clam AV 
24 hours ago.

Has anyone else noticed the behavior of the worm where it is sending to 
what seems a dictionary or names in the one domain? Like 'bob at stomp', 
'fred at stomp', 'joe at stomp', etc...?

Simon Matthews wrote:

> John, and others,
> I've seen a few copies of a variant that has no subject, no text (to 
> be more accurate, it claims to have to have a section that uses 
> Windows-1252 charset, but it's empty), just a zip file attachment.
> Any suggestions on filtering? Anyone want to see a copy?

More information about the esd-l mailing list