Thanks for the advice, however I'm already blocking certain attachments (via BANEXT). Also, these particular attachments aren't encrypted archives (I'm blocking those too via BANEXT EZIP / BANEZIPEXTS ON). In this case the virus itself appears to be Base64 encrypted.
The virus is listed as [EMAIL PROTECTED], where the "enc" does not mean that it was an encrypted file, but instead means that Symantec thinks that it detected E-mail headers that were generated by the virus (don't ask me why they use "enc" to mean this, right at the time when viruses started using encrypted files to spread, so people assume that the "enc" means "encrypted").
In the cases you included, it appears that the virus is getting sent from Person A to Person B, and bouncing to Person C (the only one that is a customer of yours). The bounce message either doesn't include the virus, or perhaps includes part of it, but not enough to be useable. However, Symantec sees the headers from the original E-mail with the virus, and says that it has detected the virus (even though the virus isn't there).
So this is a case where Symantec is detecting corrupt, non-viable variants of viruses, which most virus scanners do not detect (since they are harmless).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
