http://isc.sans.org/diary.php?storyid=1988
BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the "CPR" version to obtain the beta of the next pattern update. Andrew. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Tuesday, December 26, 2006 6:05 AM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] How to block an IP > > Joe, > > Just add the IP or CIDR block into the SMTP access control in Imail. > > Darrell > -------------------------------------------------------------- > ---------- > Check out http://www.invariantsystems.com for utilities for > Declude And Imail. IMail/Declude Overflow Queue Monitoring, > SURBL/URI integration, MRTG Integration, and Log Parsers. > > ----- Original Message ----- > From: "J Porter" <[EMAIL PROTECTED]> > To: <declude.virus@declude.com> > Sent: Monday, December 25, 2006 11:06 PM > Subject: [Declude.Virus] How to block an IP > > > Is there a way to block an IP address before analysis by > Declude's AV (Ver > 1.82 - Imail 8.x)? > > I thought I should be able to do this with rules.ima by > looking for a line > in the header. So I have a line that says > H~xxx\.yyy\.zz\. > but it doesn't work. (In case you can't see it, the lines > read \. = slash > dot per Ipswitch docs) I don't think the H~ (header contains) > command reads > everything in the header. > > ~Joe > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
