-
November 23rd, 2005, 07:16 PM
#11
Another setting that may help is to turn off the "reply to sender" option for infected mail in your AV gateway scanner. That option just adds a lot of overhead to the system that you just don't need at times like this.
Since the source address is likely spoofed anyway, it just generates a bounce and more overhead. Best to just trash 'em.
-
November 23rd, 2005, 09:47 PM
#12
Trend has a very useful help library.
Cleaning compressed mail attachments
Cleaning compressed files attached to an email message involves decompressing the compressed file, cleaning the contents, and then recompressing the file. For example, if there are five files, A.doc, B.doc, C.doc, D.doc, and E.doc: C.doc is infected with a macro virus, and they are all packed into a single compressed file called docs.zip: [docs.zip(A.doc, B.doc, C.doc, D.doc, E.doc)]. You can set Trend Micro PC-cillin Internet Security to detect the virus in C.doc, issue an alert, and write the event to the Virus log.
If you have selected the Clean viruses in compressed files check box, because C.doc is in the first layer, Trend Micro PC-cillin Internet Security will automatically execute the Clean action when Internet Security detects a virus up to the second layer.
Important: PC-cillin Internet Security is able to carry out this Clean scan action only if the infected file is contained in the first layer [docs (A.doc, B.doc, C.doc, D.doc, E.doc)] of the compressed file.
However, suppose C.doc was located in a deeper layer of compression, for example, (docs +2.zip{docs+1.zip[docs.zip(A.doc, B.doc, C.doc, D.doc, E.doc)]}). Although PC-cillin Internet Security could detect the virus, it is unable to perform any scan action. Therefore, if you want to clean C.doc, use WinZip, or another compression program to decompress the compressed file. When the individual files have been decompressed, right-click C.doc and click Trend Micro PC-cillin Internet Security. Trend Micro PC-cillin Internet Security will perform the scan action you have specified.
To clean a compressed mail attachment:
On the PC-cillin Internet Security main window, click Email > Mail Scan (or Webmail Scan).
Under Scan actions, make sure Clean is selected from the Action when virus found list, and then select the Clean viruses in compressed files check box.
Click Apply.
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
November 24th, 2005, 05:26 AM
#13
Member
As HTRegz said, its safe but incoveniance.
I have enabled the quarentine option and trying to check the logs for genuine mails being blocked.
Working closley with Trend to block this.
Thank you all.
-
November 24th, 2005, 06:19 AM
#14
Member
I also got like 5 viruses today attached to bogus emails with the same virus and one of them looked almost legit except the text file was in a zip so I got suspicous and scanned it first. Turned out to be the same virus. I thought someone intentionally was trying to screw up my computer but I'm glad I'm not the only one.
\"They have the internet on computers now?\"
-
November 24th, 2005, 10:31 AM
#15
I just got hit too
thought I was on the ignore list for a while
From : office@parkwoodprojects.co.uk
To : emailserv@virgin.net
Subject : Your Password
Attachments : Your Password ( 663 bytes)(2KB)
- message-
This message had an attachment which were found to contain the following virus(es):
File 'reg_pass-data.zip' was infected with virus 'W32.Sober.X@mm!zip' (ID 4815)
The infected file(s) were cleaned or removed from the attachment
details -
Return-Path: <office@parkwoodprojects.co.uk>
Received: from n076.sc1.cp.net (64.97.168.32) by n071.sc1.cp.net (7.2.066)
id 43474C2A00852D9E for xxx.xxx@xxx.xxx; Thu, 24 Nov 2005 08:11:52 +0000
Received: from alfjvshi.uk (62.45.96.249) by n076.sc1.cp.net (7.2.069.1) id 4381FB10001BA6AF; Thu, 24 Nov 2005 08:11:51 +0000
From: office@parkwoodprojects.co.uk
To: emailserv@virgin.net
Date: Thu, 24 Nov 2005 08:06:12 UTC
Subject: Your Password
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <a9bcaacbba0f.9087b58@parkwoodprojects.co.uk>
This is a multi-part message in MIME format.
X-Antivirus: AVG for E-mail 7.1.362 [267.13.5/178]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="========/4381FB10001BA6B0/n076.sc1.cp.net"
Content-Disposition: inline
Now I'm no expert on this sort of thing, but is this the typical style of mail ?
Has the senders address been spoofed ?
Or are they 'owned' ?
would you consider sending the sender [office@parkwoodprojects.co.uk] a mail to let them know what is being done in their name ?
Or do we just delete and get on with life ?
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
November 24th, 2005, 10:34 AM
#16
Originally posted here by foxyloxley
Now I'm no expert on this sort of thing, but is this the typical style of mail ?
Has the senders address been spoofed ?
Or are they 'owned' ?
would you consider sending the sender [office@parkwoodprojects.co.uk] a mail to let them know what is being done in their name ?
Or do we just delete and get on with life ?
That's just a bounce message. The From: address is spoofed but it's quite likely the email is being sent in YOUR name. These messages are sometimes called "backscatter" and frankly they're not helpful.
The only way to determine the true origin of a virus infected email is to trace back the IP addy in the mail headers.
-
November 24th, 2005, 10:37 AM
#17
The From: address is spoofed but it's quite likely the email is being sent in YOUR name. These messages are sometimes called "backscatter"
So right no there could be mails in MY name doing the rounds ?
and do you have any details on this 'backscatter' ?
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
November 24th, 2005, 10:41 AM
#18
Well, a typically mass-mailer worm selects a random address on the infected PC to send "from:" and another random one to send "to:". That's absolutely normal and to be expected.
Backscatter happens when (for example) an organisation gets 10,000 infected emails and then helpfully decides to tell the alleged sender that they sent an infected message - so it generates 10,000 bounce messages which it sends to wholly innocent (and uninfected) parties.
There's really no point configuring your software to tell the "sender" the message was infected, because the sender didn't actually send it. All it does do is create a great deal of confusion.
-
November 24th, 2005, 10:55 AM
#19
deleted : now getting on with life
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
November 24th, 2005, 12:57 PM
#20
Sorry for the double post, but bumping thread .......
I've now had SEVEN mails from various oranisations, inc CIA
all contain the same virus [all stripped out by AVG]
is everyone else having a busy day too ???
[edit]
they are TILL coming
FBI
Kabul postmaster [WTF]
this is getting ridiculous
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|