Hi there-

Had an interesting morning. One of my lists apparently got a virus
attachment distributed to it. But, the list is already set to reject
attachments. So we had to do some figuring to understand how that
happened. And it seems this virus is clever enough to get past an
attachment filter.

This virus is sent as plain text, but has a SMTP command *inside* that
text (begin 666) which causes Outlook (on the recipient's side) to
assume this is an attachment, and separates out the bytes into a
attachment file, which is the actual virus executable.

So the recipient sees the incoming data as an attachment, and Outlook
presents it to the reader as such, despite the fact that the email
itself was merely plain text. So rejecting attachments doesn't solve the
problem.

I was looking in the archive and trying to find someone else's
commentary on this, but I couldn't find anything. What I want to know is
if there is some way I can filter messages for content (specifically
that string that makes the virus be assembled into an attachment on the
client machine), and remove this risk that way? I know I can use filter
keywords to filter out specific users or ISPs, etc., but is there any
way to filter for strings in the message body?

Thanks in advance for any help!

Shannon  :-)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shannon Ahern
DevelopMentor WebMistress
http://www.develop.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Who do you think you are, God?" asked the victim of my cancelbot. I
replied, "No. God works in mysterious ways. I follow established
protocols." - Richard E. Depew