"Bojan Zdrnja" <[EMAIL PROTECTED]> wrote:
> Agreed (although - most users will send Windows attachments ;-).
>
> Anyway, for that purpose, a regular expression like:
>
> \.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com)
>
> Will do it. Amavisd-new has a nice default example for this.
Hm --
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Brown, Nicholas
> Sent: Friday, 21 November 2003 3:48 a.m.
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES
>
> Bojan Zdr
Bojan Zdrnja Wrote:
...
>That is why you should implement content blocking at your e-mail server.
>There is absolutely no reason to allow .scr files to go around. If you had
>this blocked, it would stop MiMail-I without AV updates.
>Also, note that this attachment has double extension, which should
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Larry Hand
> Sent: Saturday, 15 November 2003 8:38 a.m.
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES
>
> On Thursda
Paul,
> As an email administrator, when I receive a spam complaint for a piece of
> dreck that obviously did not originate from our network or pass through
> our servers, I think "this doofus can't read headers", and I usually send
> a polite note explaining that sender addresses can be forged a
Rachael Treu wrote:
Agreed, but I still forward to yahoo.com to make them aware, as they're
likely to receive complaints from folks that briefly parse the headers.
Then again, I'm a security engineer for a provider that is frequently
deluged by such clamoring, so that, indeed, might be just me...
On Thursday 13 November 2003 04:43 pm, Larry Hand wrote:
> Anyone else seeing this? It comes with an attachment Paypal.asp.scr.
> Anyone know what it is? It sure looks suspicious.
And a bunch of people answered! Thanks to you all.
Thanks for the links. I expect it's that MiMail trojan. It's rare
On Fri, Nov 14, 2003 at 12:39:34AM -0700, Irwan Hadi said something to the effect of:
> On Thu, Nov 13, 2003 at 07:44:27PM -0600, Rachael Treu wrote:
>
> > Delete it or forward it to [EMAIL PROTECTED]
> >
> > Headers (at least on the copy I received) identify the man behind
> > the curtain as...
Actually the answer just came right now:
http://www.sophos.com/virusinfo/analyses/w32mimaili.html
W32/Mimail-I is a worm which spreads via email using addresses harvested from the hard drive of your computer. All email addresses found on your PC are saved in a file named el388.tmp in the Windows fo
Hi,
This description is identical to a new variant of the MiMail-family. If
executed the worm tries to steal Paypal account information. Detailed
analysis of the worm can be found on several Antivirus vendors webistes.
We are seeing an increase in submitted samples durring the past 3 hours.
Antivi
All,
> From [EMAIL PROTECTED] Thu Nov 13 17:28:51 2003
Return-Path: <[EMAIL PROTECTED]>
Received: from 81.249.20.142 (APuteaux-111-1-5-142.w81-249.abo.wanadoo.fr
+[81.249.20.142])
I don't think yahoo.com has something to do here, since the culprit is
one user from wanadoo.fr He just spoofed some
On Thu, Nov 13, 2003 at 07:44:27PM -0600, Rachael Treu wrote:
> Delete it or forward it to [EMAIL PROTECTED]
>
> Headers (at least on the copy I received) identify the man behind
> the curtain as...
>
> >From [EMAIL PROTECTED] Thu Nov 13 17:28:51 2003
> Return-Path: <[EMAIL PROTECTED]>
> Receiv
On Fri, Nov 14, 2003 at 12:52:24AM -0200, Rodrigo Barbosa wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Thu, Nov 13, 2003 at 04:43:16PM -0800, Larry Hand wrote:
> > Anyone else seeing this? It comes with an attachment Paypal.asp.scr.
> > Anyone know what it is? It sure looks su
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, Nov 13, 2003 at 04:43:16PM -0800, Larry Hand wrote:
> Anyone else seeing this? It comes with an attachment Paypal.asp.scr.
> Anyone know what it is? It sure looks suspicious.
I beg your pardon, but ... suspicious ?!?! :)
> -- Forwar
.SCR files are Windows screen savers - actally renamed .EXEs - and a
well-known way of distributing worms.
> -Original Message-
> From: Larry Hand [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 13, 2003 7:43 PM
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclo
Hello, Larry.
*.scr - equivalent of *.exe files.
100% Trojan horse or another malware.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Hand
Sent: 14 ?? 2003 ?. 3:43
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Fwd: YOUR PAYPAL.COM
Delete it or forward it to [EMAIL PROTECTED]
Headers (at least on the copy I received) identify the man behind
the curtain as...
>From [EMAIL PROTECTED] Thu Nov 13 17:28:51 2003
Return-Path: <[EMAIL PROTECTED]>
Received: from 81.249.20.142 (APuteaux-111-1-5-142.w81-249.abo.wanadoo.fr
+[81.249.20
Anyone else seeing this? It comes with an attachment Paypal.asp.scr.
Anyone know what it is? It sure looks suspicious.
-- Forwarded Message --
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Date: Fri, 14 Nov 2003 03:29:00 -0500
From: PayPal.com <[EMAIL PROTECTED]>
To: [EMAIL PROTECT
18 matches
Mail list logo
