It appears the last round of mails sent by Mytob.dj (or a close variant) are not being detected in the current sigs (921). I'm going by the description here:
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] As of last night I only had bounces for samples, and submitted one that was mostly a complete mail (missing just a initial Received: line and a Return-Path:. I added procmail rules based on that and now have complete samples, one of which I submitted a little while ago. I've attached the procmail rules I'm using to catch any that make it past Clam. ========================================================== Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
:0 B * <5000 * ^<html> +$<body> +$<BR><STRONG>Dear Valued Member, </STRONG><BR> $VirusFolder :0 B * <5000 * ^<BR><a href="http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/confirm.php?email= $VirusFolder
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html