From: Rich Shepard [mailto:[EMAIL PROTECTED] > > With your help the amount of spam getting past the various > filters in my > inbox (and that of my fiancee) has dropped dramatically. I appreciate > learning from all of you. > > The past couple of days has seen the arrival of a new mutant species of > spam: the empty message with a Windows .exe attachment that is base64 > encoded. SpamAssassin is giving them scores of 0.0. I have a > postfix filter > checking for exposed .exe attachments, but nothing seems to catch these > guys. To add insult to injury, I have a postfix body check for '/Empty or > malformed message/' that did nothing when the original message > came in, but > prevented me from send it on to the list here. :-(
Don't: it is a virus... > Below are the headers from one example, with the uucoded part > removed. If > I tell pine to look at the attachments, and start to save it, the > name comes > up with a .exe extension. If anyone has suggestions on how to identify and > reject this format, please share them with me. > > Rich Rich, it is not spam: it is a mutant virus. I've amavisd-new installed in my systems and I managed to block mails with .exe attachments, since often ClamAV and BDC are not up-to-date enough to identify this threat. Giampaolo > > -- > Richard B. Shepard, Ph.D. | The Environmental Permitting > Applied Ecosystem Services, Inc. | Accelerator(TM) > <http://www.appl-ecosys.com> Voice: 503-667-4517 Fax: > 503-667-8863 > ================================================================== > ========= > > From [EMAIL PROTECTED] Sun Jan 28 04:31:09 2007 > Return-Path: <[EMAIL PROTECTED]> > X-Original-To: [EMAIL PROTECTED] > Delivered-To: [EMAIL PROTECTED] > Received: by salmo.appl-ecosys.com (Postfix, from userid 1006) > id E6FC7DE; Sun, 28 Jan 2007 04:31:08 -0800 (PST) > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on > salmo.appl-ecosys.com > X-Spam-Level: X-Spam-Status: No, score=0.0 required=4.0 tests=BAYES_50 > autolearn=no > version=3.1.7 > Received: from abjn32.neoplus.adsl.tpnet.pl (abjn32.neoplus.adsl.tpnet.pl > [83.7.155.32]) > by salmo.appl-ecosys.com (Postfix) with SMTP id 210A258 > for <[EMAIL PROTECTED]>; Sun, 28 Jan 2007 04:29:55 > -0800 (PST) > Received: from egvvx ([116.82.221.212]) > by abjn32.neoplus.adsl.tpnet.pl (8.13.4/8.13.4) with SMTP id > l0SCY7oD053228; > Sun, 28 Jan 2007 13:34:07 +0100 > Message-ID: <[EMAIL PROTECTED]> > Date: Sun, 28 Jan 2007 13:29:22 +0100 > From: Dooley Dinah <[EMAIL PROTECTED]> > User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) > MIME-Version: 1.0 > To: [EMAIL PROTECTED] > Subject: Love at First Sight > Content-Type: multipart/related; > boundary="------------010904090903010104020004" > > > [ Empty or malformed message. Displaying raw text. ] > > --------------010904090903010104020004 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > > > --------------010904090903010104020004 > Content-Type: application/x-msdownload; > name="flash postcard.exe" > Content-Transfer-Encoding: base64 > Content-Disposition: inline; > filename="flash postcard.exe"
