On Fri, 19 Sep 2003, Bruce Pennypacker wrote: > Jim wrote: > > On Thu, Sep 18, 2003 at 11:00:40PM +0500, Ivar Magne Auestad wrote: > > > >>You are writing in the FAQ that you don't focus on viruses, but I have a > >>suggestion. It would be very easy to add attachment type as a qualifyer. > >>Very many viruses are attached as .pif-files or double extention > >>attachments (document.doc.exe) or refered to as inline mime code. This > >>would remove quite some prosent of the viruses spread. > > > > > > > > Set yourself a higher score for the "MICROSOFT_EXECUTABLE" test. > > The problem I'm finding with the latest worm is that sometimes the MIME > attachment for the actual worm isn't included in the e-mail. I've > already set MICROSOFT_EXECUTABLE high but I'm still getting a few > e-mails an hour that consist of the worms e-mail without the worm > actually attached. Since there's no executable SA isn't filtering these > properly. So relying on this as a method to block worms like this > doesn't always work.
I seeing this also. A message I saw on another list earlier today stated that there seemed to be a bug in the virus that sometimes allowed it to send its message without the exe. as a result the virus scanners were missing it. HTH, -- ......Tom Registered Linux User #14522 http://counter.li.org [EMAIL PROTECTED] My current SpamTrap -------> [EMAIL PROTECTED] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk