>
> Gee, I if I had provided a little more info my post might have made more
> sense huh? I was reading on the Mcafee site about the W32/Sircam worm
> and they said that it sends itself "using one of the following
> extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment
> names having double-extensions." Sooo, I was suggesting... you may
> want to add the .lnk extension to your system filters, and I was asking
> if anyone else had a better idea?
>
> Thanks,
> -jm
>
Personally I don't like using the generic filter for viruses (I see too
many false positives).
Yesterday I added this to my filter and in less than 24 hours it's
caught over 4,100 copies of the Sircam virus:
if "$message_body" contains "Hi! How are you" and
"$message_body" contains "See you later" and
"$message_body" contains "TVpQAAIAAAAEAA8A" then
seen finish
endif
It's probably not foolproof, but it's working here with no false positives
so far (I was getting false positives until I added the third check, which
is just the first few bytes of the MIME encoded attachment).
Mark