At 14:49 01/28/2002 Monday, Ahern, Shannon wrote: >Had an interesting morning. One of my lists apparently got a virus >attachment distributed to it. But, the list is already set to reject >attachments. So we had to do some figuring to understand how that >happened. And it seems this virus is clever enough to get past an >attachment filter. > >This virus is sent as plain text, but has a SMTP command *inside* that >text (begin 666) which causes Outlook (on the recipient's side) to >assume this is an attachment, and separates out the bytes into a >attachment file, which is the actual virus executable. > >So the recipient sees the incoming data as an attachment, and Outlook >presents it to the reader as such, despite the fact that the email >itself was merely plain text. So rejecting attachments doesn't solve the >problem. >I was looking in the archive and trying to find someone else's >commentary on this, but I couldn't find anything. YOURS is the *definitive* commentary. As you said, it did not start off as an email attachment, but some MUA decided to make it such :-( >What I want to know is >if there is some way I can filter messages for content (specifically >that string that makes the virus be assembled into an attachment on the >client machine), and remove this risk that way? I know I can use filter >keywords to filter out specific users or ISPs, etc., but is there any >way to filter for strings in the message body? I think the best way of "filtering" is by using a different MUA and educate your customers not to take candy, nor attachments, from strangers. /Pete