Hi, >> These are a real concern. If you receive any kind of real mail volume, >> you're receiving these too, and they're not always being caught by >> RBLs or virus scanners. Or even our well-trained bayes. >> >> http://pastebin.com/YhLBqpKm >> >> I used to have some rules that would reliably block them, but they're >> not performing well now at all. >> >> I'm posting this in hopes someone has some other ideas, as well as to >> raise awareness about their existence. >> >> Ideas greatly appreciated. > > SA isn't the right tool to detect virus infected attachments > > This is an "offtopic" suggestion. > > disassemble the macro, write a HEX or YARA sig for ClamAV. > (not very hard) > For help with that, ask the ClamAV list.
This is after the fact, and it's also already being done, but not very effectively. The people writing the virus sigs are much more capable and apparently still aren't able to stop them. PDFs are also a problem. I'm just looking for something to supplement that effort. Curiously, the pastebin has been removed, despite the captcha. Is this something people have experienced before?
