RE: [Declude.Virus] Windows Update!

[Goran Jovanovic]

Title: Message

Kami,   What do you do in Global.cfg when an e-mail “fails” the MS Filter? Subtract a bunch of points?              Goran Jovanovic      The LAN Shoppe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Sunday, April 10, 2005 6:41 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Windows Update!   Hi Andrew:   We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS.   ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers.  For example:   Here is our MS filter:   MINWEIGHTTOFAIL  2   MAILFROM 1 ENDSWITH  @microsoft.com MAILFROM 1 ENDSWITH  .microsoft.com MAILFROM 1 ENDSWITH  .arvatousa.net   REVDNS 1 ENDSWITH  .microsoft.com REVDNS 1 ENDSWITH  .zomax.com   But I have seen them send from other reverse dns.   So it is not that easy- at least I don't think it is.   These emails are being held at 30+ weight in our system.  All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50.  I am afraid they can think it is a valid email in their spam folder.. who knows.   I think we should track this one closely.   Regards, Kami   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Sunday, April 10, 2005 6:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Windows Update! No, that email address is not valid.  Those emails have been easily held over on my system.   You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight?   Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Sunday, April 10, 2005 12:38 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Windows Update! Hi;   In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update.   As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments.   The link is an IP address.   I think ClamAV detects such behavior but it is not catching it yet and I just checked the update.   I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked.   This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address.  Anyone knows if this is a valid address?  May be it is worthwhile to block it for now.   This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system.   Regards, Kami

<<image001.gif>>