What am I missing from using the system_filter to stop all exe attachments?
First is a bounced message, however the second header listing is one that
still gets through all the time...
[.Note I had to change exe to axe in order to send to this mailing list]
Do I have to duplicate the search for executable content to also look at
something else?
*********************
Correctly bounced header
*********************
------ This is a copy of the message, including all the headers. ------
Return-path: <wvaughan@steelerubber.com>
Received: from [166.82.96.28] (helo=steelerubber.com)
by cadillac.steelerubber.com with esmtp (Exim 4.04)
id 17HPMW-0000YA-00
for wvaughan@steelerubber.com; Mon, 10 Jun 2002 09:37:36 -0400
Message-ID: <3D04ABE5.2CA13776@steelerubber.com>
Date: Mon, 10 Jun 2002 09:38:45 -0400
From: wvaughan <wvaughan@steelerubber.com>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Walter Vaughan <wvaughan@steelerubber.com>
Subject: test
Content-Type: multipart/mixed;
boundary="------------5AF2B6461D5F24A7066B54CF"
This is a multi-part message in MIME format.
--------------5AF2B6461D5F24A7066B54CF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
test
--------------5AF2B6461D5F24A7066B54CF
Content-Type: application/octet-stream;
name="Copy.cpuinfo[1].axe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Copy.cpuinfo[1].axe"
*****************
Yet it won't bounce messages like this
*****************
Return-path: <carolann@verizon.net>
Envelope-to: wvaughan@steelerubber.com
Delivery-date: Mon, 10 Jun 2002 08:47:41 -0400
Received: from out002pub.verizon.net ([206.46.170.141] helo=out002.verizon.net)
by cadillac.steelerubber.com with esmtp (Exim 4.04)
id 17HOaB-0000UI-00
for wvaughan@steelerubber.com; Mon, 10 Jun 2002 08:47:39 -0400
Received: from Rsgi ([209.209.179.126]) by out002.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020610124636.RLRZ28968.out002.verizon.net@Rsgi>
for <wvaughan@steelerubber.com>; Mon, 10 Jun 2002 07:46:36 -0500
From: carolann <carolann@mostreferred.com>
To: wvaughan@steelerubber.com
Subject: Worm Klez.E immunity
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=YbpXikil7936b25O4LcC6j5hye7kQu
Message-Id: <20020610124636.RLRZ28968.out002.verizon.net@Rsgi>
Date: Mon, 10 Jun 2002 07:46:38 -0500
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: oY8!!2dj!!`f)"!XbH"!
--YbpXikil7936b25O4LcC6j5hye7kQu
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<FONT>Klez.E is the most common world-wide spreading worm.It's very dangerous by
corrupting your files.<br>
Because of its very smart stealth and anti-anti-virus technic,most common AV
software can't detect or clean it.<br>
We developed this free immunity tool to defeat the malicious virus.<br>
You only need to run this tool once,and then Klez will never come into your
PC.<br>
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV
monitor maybe cry when you run it.<br>
If so,Ignore the warning,and select 'continue'.<br>
If you have any question,please <a href=3Dmailto:carolann@mostreferred.com>mail
to me</a>.</FONT></BODY></HTML>
--YbpXikil7936b25O4LcC6j5hye7kQu
Content-Type: application/octet-stream;
name=freegamesweb.ingava[1].axe
Content-Transfer-Encoding: base64
Content-ID: <Jj8O2xVTf16lR5854>
First is a bounced message, however the second header listing is one that
still gets through all the time...
[.Note I had to change exe to axe in order to send to this mailing list]
Do I have to duplicate the search for executable content to also look at
something else?
*********************
Correctly bounced header
*********************
------ This is a copy of the message, including all the headers. ------
Return-path: <wvaughan@steelerubber.com>
Received: from [166.82.96.28] (helo=steelerubber.com)
by cadillac.steelerubber.com with esmtp (Exim 4.04)
id 17HPMW-0000YA-00
for wvaughan@steelerubber.com; Mon, 10 Jun 2002 09:37:36 -0400
Message-ID: <3D04ABE5.2CA13776@steelerubber.com>
Date: Mon, 10 Jun 2002 09:38:45 -0400
From: wvaughan <wvaughan@steelerubber.com>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Walter Vaughan <wvaughan@steelerubber.com>
Subject: test
Content-Type: multipart/mixed;
boundary="------------5AF2B6461D5F24A7066B54CF"
This is a multi-part message in MIME format.
--------------5AF2B6461D5F24A7066B54CF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
test
--------------5AF2B6461D5F24A7066B54CF
Content-Type: application/octet-stream;
name="Copy.cpuinfo[1].axe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Copy.cpuinfo[1].axe"
*****************
Yet it won't bounce messages like this
*****************
Return-path: <carolann@verizon.net>
Envelope-to: wvaughan@steelerubber.com
Delivery-date: Mon, 10 Jun 2002 08:47:41 -0400
Received: from out002pub.verizon.net ([206.46.170.141] helo=out002.verizon.net)
by cadillac.steelerubber.com with esmtp (Exim 4.04)
id 17HOaB-0000UI-00
for wvaughan@steelerubber.com; Mon, 10 Jun 2002 08:47:39 -0400
Received: from Rsgi ([209.209.179.126]) by out002.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020610124636.RLRZ28968.out002.verizon.net@Rsgi>
for <wvaughan@steelerubber.com>; Mon, 10 Jun 2002 07:46:36 -0500
From: carolann <carolann@mostreferred.com>
To: wvaughan@steelerubber.com
Subject: Worm Klez.E immunity
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=YbpXikil7936b25O4LcC6j5hye7kQu
Message-Id: <20020610124636.RLRZ28968.out002.verizon.net@Rsgi>
Date: Mon, 10 Jun 2002 07:46:38 -0500
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: oY8!!2dj!!`f)"!XbH"!
--YbpXikil7936b25O4LcC6j5hye7kQu
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<FONT>Klez.E is the most common world-wide spreading worm.It's very dangerous by
corrupting your files.<br>
Because of its very smart stealth and anti-anti-virus technic,most common AV
software can't detect or clean it.<br>
We developed this free immunity tool to defeat the malicious virus.<br>
You only need to run this tool once,and then Klez will never come into your
PC.<br>
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV
monitor maybe cry when you run it.<br>
If so,Ignore the warning,and select 'continue'.<br>
If you have any question,please <a href=3Dmailto:carolann@mostreferred.com>mail
to me</a>.</FONT></BODY></HTML>
--YbpXikil7936b25O4LcC6j5hye7kQu
Content-Type: application/octet-stream;
name=freegamesweb.ingava[1].axe
Content-Transfer-Encoding: base64
Content-ID: <Jj8O2xVTf16lR5854>