I've seen similar behavior with viruses found by AVG.
-------- Original Message -------- > From: "Andy Schmidt" <[EMAIL PROTECTED]> > Sent: Wednesday, December 13, 2006 12:42 PM > To: "'Declude Virus List'" <declude.virus@declude.com> > Subject: [Declude.Virus] Sender.eml was sent even though forging virus? > > Hi, > > My "sender.eml" has the line: > SKIPIFFORGING > > And my virus.CFG has: > > AUTOFORGE ON > > FORGINGVIRUS Anonymous Driver > FORGINGVIRUS Antiman > FORGINGVIRUS Avril > FORGINGVIRUS Bagle > > Yet, declude virus just sent the "sender.eml" for the following details: > > File: "Unknown File" > Result: FoundI-Worm/Bagle > Message ID: <[EMAIL PROTECTED]> > Our Domain: Schmidt.AS for Schmidt.AS > Queue ID: D324e01530000b795.smd > > Based on these headers: > > -----Original Message Headers----- > Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP > (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500 > Date: Wed, 13 Dec 2006 18:03:11 +0100 > To: "Andy" <[EMAIL PROTECTED]> > From: "Webmaster" <[EMAIL PROTECTED]> > Subject: price 13-Dec-2006 > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="--------oibzhbgyvnajpcxfwpdt" > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
