[Esd-l] Attachment of application.pif was not stripped
Mike McCandless
michael at prismbiz.com
Sat Aug 23 18:52:23 PDT 2003
I checked the Web site, and read through the local rules. I must admit I
need some help with where these get put in my procmailrc file, or how they
are referenced. Also, your reply below talks about quarantining. What if I
want to treat these emails as qualifying for stripping, not quarantining?
----- Original Message -----
From: "John D. Hardin" <jhardin at impsec.org>
To: "Mike McCandless" <michael at prismbiz.com>
Cc: <esd-l at spconnect.com>
Sent: Saturday, August 23, 2003 10:47 AM
Subject: Re: [Esd-l] Attachment of application.pif was not stripped
> On Sat, 23 Aug 2003, Mike McCandless wrote:
>
> > However, I'm confused about why the application.pif was not
> > stripped by the Sanitizer. The user in question got plenty of
> > other .pif attachments, which were successfully stripped by the
> > Sanitizer. Any ideas?
>
> The most likely possibility is that it's an older SoBig, one that
> delivered the attack wrapped in a .ZIP file. Check the website for the
> sample local-rules file that detects and quarantines this version.
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin at impsec.org pgpk -a jhardin at impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> ...the Fates notice those who buy chainsaws...
> -- www.darwinawards.com
> -----------------------------------------------------------------------
> 70 days until Matrix Revolutions
More information about the esd-l
mailing list