Thanks. Upon further inspection, I found that the original attachment was replaces with a text file indicating that the original attachment had in fact been "dangerous" and had been deleted which explains why Declude Virus let it through.
I'm going to go look at your FORIEGN/TLD filter set now. Thank you. Jeff ----- Original Message ----- From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 18, 2003 3:10 PM Subject: Re: [Declude.JunkMail] Best Way to block the below message ?? > SPAMDOMAINS wouldn't work on this message because the MAILFROM is not > microsoft.com. > > It appears to be a virus, in which case Declude Virus would be the best > method of blocking it. If you don't want to run that, then I also > believe that this message uses extensions like PIF and SCR, in which > case a body filter for .pif" and .scr" would probably pick it up (use > the quotes accordingly). > > If you are running Declude JunkMail Pro (needed for the above as well), > then my FORIEGN/TLD filter set would have added 3 points to the message > (depends on how you score it though). You can get that filter set at > http://www.mailpure.com/software/decludefilters/ > > There might well be other filters that would also add points to the body > content. I wouldn't know though because Declude Virus is blocking all > of this stuff. > > Matt > > > > Jeff Pereira wrote: > > > What would be the best way (i know best is subjective) to block a > > message like the one below ? > > > > Would adding microsoft.com to my SPAMDOMAINS file work ?? > > > > Thank you. > > > > Jeff > > > > Received: from av3.stonline.sk [213.81.152.34] by updatenyc.com with ESMTP > > (SMTPD32-8.04) id A1CA33F0062; Tue, 18 Nov 2003 03:01:14 -0500 > > Received: from smtp.stonline.sk ([192.168.4.53]) > > by av3.stonline.sk (8.12.10/8.11.6) with ESMTP id hAI7wHJi029648 > > for <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Tue, 18 > > Nov 2003 08:58:17 +0100 > > Received: from rwos (telecom-213-161-129.telecom.sk [213.81.161.129]) > > by smtp1.stonline.sk (STOnline ESMTP Server) > > with SMTP id <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> for [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>; > > Tue, 18 Nov 2003 08:58:17 +0100 (MET) > > Date: Tue, 18 Nov 2003 08:57:50 +0100 (MET) > > Date-warning: Date header was inserted by smtp1.stonline.sk > > From: Microsoft Corporation Network Security Center > > <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> > > Subject: Network Security Update > > To: Commercial User <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> > > Message-id: <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> > > MIME-version: 1.0 > > Content-type: multipart/mixed; > > boundary="Boundary_(ID_P1VN7aaL239Vja+tPXlFZw)" > > X-RAVMilter-Version: 8.4.3(snapshot 20030212) (av3.stonline.sk) > > X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [213.81.152.34] > > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com > > <http://www.declude.com>) for spam. > > X-Spam-Tests-Failed: IPNOTINMX [0] > > X-Note: Total spam weight of this E-mail is 0. > > X-Country-Chain: > > X-Note: This E-mail was sent from av3.stonline.sk ([213.81.152.34]). > > X-RCPT-TO: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > > Status: U > > X-UIDL: 349464161 > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
