On 8/19/2003 5:31 PM, Scott Haneda deftly typed out: >> So far, my Rule isn�t working. (I have a total of 8 Rules). Here�s how the >> Delete .PIF rule is set up: > > not all of these viruses are having a legit attachment, look at the headers, > and you will see the attachment is in the body of the message. I would bet > that the "attachment" part of the rule looks for name=*.pif in the heeaders, > I have seen hundreds that do not have this in the headers, it is in the > body.
Attachment information is never in the headers that I know of. It is in the MIME part in the messages "body." Unfortunately, Entourage's rule criteria "Message Body" doesn't look at the source of the message, just the decoded body. For example, a rule that looks for "<href" in the "Message Body" doesn't trigger when receiving an HTML-formatted message. What is also too bad is that Entourage doesn't have an option to search the message source. I do have a rule that works correctly for catching messages with attachments of certain types, however. The rule looks like: If any criteria are met Attachment Name ends with .pif Attachment Name ends with .exe Attachment Name ends with .scr Attachment Name ends with .vbs Attachment Name ends with .vbe Attachment Name ends with .bat Attachment Name ends with .jse Set Category Virus This rule works well for me. -Remo Del Bello -- "I think love is a snowmobile racing across the arctic tundra which suddenly flips, pinning you underneath. At night, the ice-weasels come...." - Matt Groening -- To unsubscribe: <mailto:[EMAIL PROTECTED]> archives: <http://www.mail-archive.com/entourage-talk%40lists.letterrip.com/> old-archive: <http://www.mail-archive.com/entourage-talk%40lists.boingo.com/>
