Have a virus scanner that correctly identified the email as having a
virus attachment, but it still passed along the "cleaned" (ie the
attachment was removed) email. I was asked if there was a way to
"trash" the resulting "cleaned" email...
On Jul 28, 2005, at 4:13 PM, Rick Macdougall wrote:
Dr Robert Young wrote:
We had a very short spam come in (actually it had a virus
attachment named "updated-password.zip"). There is not much to
grab onto
Content analysis details: (1.5 points, 5.0 required)
____
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 NO_REAL_NAME From: does not include a real name
0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.2 MIME_HTML_ONLY BODY: Message only has text/html
MIME parts
1.1 PRIORITY_NO_NAME Message has priority, but no X-
Mailer/ User-Agent
0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but
no X-MimeOLE
so I wonder if one can use a rule to look for the name of the
attachment in the header/body of the email to ID this (see
below). Any thoughts on how to approach? Using SA 3.0.4 with
Razor2 installed.
How about running a virus scanner like clamav ?
Regards,
Rick
