At 14:49 01/28/2002 Monday, Ahern, Shannon wrote:
 >Had an interesting morning. One of my lists apparently got a virus
 >attachment distributed to it. But, the list is already set to reject
 >attachments. So we had to do some figuring to understand how that
 >happened. And it seems this virus is clever enough to get past an
 >attachment filter.
 >
 >This virus is sent as plain text, but has a SMTP command *inside* that
 >text (begin 666) which causes Outlook (on the recipient's side) to
 >assume this is an attachment, and separates out the bytes into a
 >attachment file, which is the actual virus executable.
 >
 >So the recipient sees the incoming data as an attachment, and Outlook
 >presents it to the reader as such, despite the fact that the email
 >itself was merely plain text. So rejecting attachments doesn't solve the
 >problem.


 >I was looking in the archive and trying to find someone else's
 >commentary on this, but I couldn't find anything.

YOURS is the *definitive* commentary.

As you said, it did not start off as an email attachment, but some MUA
decided to make it such :-(

 >What I want to know is
 >if there is some way I can filter messages for content (specifically
 >that string that makes the virus be assembled into an attachment on the
 >client machine), and remove this risk that way? I know I can use filter
 >keywords to filter out specific users or ISPs, etc., but is there any
 >way to filter for strings in the message body?

I think the best way of "filtering" is by using a different MUA and
educate your customers not to take candy, nor attachments, from strangers.

/Pete