Dave Ewart wrote:
On Tuesday, 27.07.2004 at 15:27 +0200, Lionel Bouton wrote:
You might want to be more accurate than that : worms using mail for propagation usually fake the From header, but when clamav detects a virus using other means of propagation (meaning the From couldn't be faked by the virus), notifying the sender is useful.
Amavisd-new is configured to do this by using : $viruses_that_fake_sender_re = new_RE( ... qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc [qr'^(EICAR|Joke\.|Junk\.)'i => 0], [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], );
Interesting.
I have heard of a particular incident where a sysadmin received a "you have sent us a virus" message, replied with the standard "hey, don't you know that most viruses fake headers, this autoreply from you is just adding clutter", only to then be told that, "actually, this *particular* virus does *not* fake the headers and your system really *does* have a virus ..."
:-)
That's why subscribing to lists like this is useful. You learn something new everyday, like the plural of "virus"...
Next time someone tells me that "don't you know that virii fake headers", I can correct him twice. :-)
-- Paul Bijnens, Xplanation Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***********************************************************************
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
