zip attachments

[keezel]

It would be decent of you to email your friends that you get these attachments from. Put their real name in the subject field so they'll know it's from someone that actually knows them and say something about "I got a virus from your email account, so you might want to be on the look-out and run an up to date virus scanner on your computer" and maybe also send messages to other people alerting them to the fact that you may be infected.

[jinxy]

You cant trace the origin of the attachment as the email is sent from the worms own smtp server.

If you believe the email came from one of the groups@whatever you belong to it would be a good idea though to mail the group with a general warning.

[morganlefay]

Jinxy

We strip all files...with some exceptions ....zip is how we transfer info\larger files etc
Norton is now catching them....newer version of defs

From Symantec

Note: Virus definitions version 60809aj (extended version 8/9/2004 rev. 36) and greater are required to detect this threat. The respective LiveUpdate definitions which contain protection are version 60809ak (8/9/2004 rev. 37).

It was a remote user...although he was not connected to us at the time...but that is how the virus\worm got our internal address list.

The user got infected by viewing the html file.

Anyway ..it was this site WarChyld that informed me first and I was able to give the heads up to my users til I got the new definition file.

That why I come here

Thanks again to everyone

MLF

EDIT
Keezel

Most newer virus\worms spoof the sender info...even the headers so I dont think that will work cause you cant REALLY be sure where it is coming from.

Looked like they were coming internally...but it was a remote user

I also turn off the AV autoresponders as they just create unnecessary traffic to people that arent really infected??

[mohaughn]

We actually block all compression formats now.. zip, lha, arj, rar, etc... We tell our customers that if they want to send a compressed file they need to change the extension to something that is not at all like the original extension, and to send a seperate email with instructions on what the extension should be... We've been doing this since the first virii started using zips.. It was only a matter of time until they started password protecting them to keep the email virus scanner from being able to open the archive..

[SirDice]

Originally posted here by morganlefay
Most newer virus\worms spoof the sender info...even the headers so I dont think that will work cause you cant REALLY be sure where it is coming from.

Yes, you can. Atleast 1 of the Received: headers must be real. The last one is the one from your provider or from your own mailserver.


Mohaughn: We block all executables. You can zip 'm, rename 'm, rezip 'm rename 'm again and it will still detect an executable and block it
There's no real reason why any of our users should receive an executable by email.

Every now and then there's some dumbass projectleader that thinks s/he can receive updates/patches for their software by email......guess again....Well my friend, go to that and that office and ask (nicely!) if they will download the patch/update from their website....What? They don't have a website? What kind of company makes software and doesn't have a website? Who's the dumbass that bought that piece of crap software?.... Oh... never mind....

[morganlefay]

Sorry Sir Dice

I meant that you really cant be sure WHO you are receiving them from...so no use sending them an email stating you have a virus.

I understand that you will see your mailserver in the header...that how I knew it wasnt internal...as it was received by our ISPs mailserver and then on to us.
(Still use pop accounts)



MLF

[mohaughn]

Originally posted here by SirDice
Yes, you can. Atleast 1 of the Received: headers must be real. The last one is the one from your provider or from your own mailserver.


Mohaughn: We block all executables. You can zip 'm, rename 'm, rezip 'm rename 'm again and it will still detect an executable and block it
There's no real reason why any of our users should receive an executable by email.

Every now and then there's some dumbass projectleader that thinks s/he can receive updates/patches for their software by email......guess again....Well my friend, go to that and that office and ask (nicely!) if they will download the patch/update from their website....What? They don't have a website? What kind of company makes software and doesn't have a website? Who's the dumbass that bought that piece of crap software?.... Oh... never mind....

What software are you using that can still pick up that a file is an executable with the extension renamed? Also, are you blocking password protected zips. If not, the scanners usually can't open them, to see what is inside. That is why we just flat out block archive programs. We have a list of about 40 file types that we block, all executables, pifs, reg, etc... Just about anything that can run on a system or change a system configuration is blocked.. I agree with you though.. SMTP is not, and was never intended to be a file transfer protocol.. Use http or ftp for that... I'm sure as sharepoint services becomes more prevelant people will have less of a need to email files.

[SirDice]

Originally posted here by mohaughn
What software are you using that can still pick up that a file is an executable with the extension renamed?

Take a look at ClearSwift's MIMESweeper. It really looks at the file (PE headers) itself to determine what it is.

Also, are you blocking password protected zips. If not, the scanners usually can't open them, to see what is inside.

We also block all encrypted (this includes zip+password) emails. Only a few people that really need it (for security reasons) are allowed to use encrypted emails.

We also block sh*tloads of multimedia content, stuff like mp3, mpeg movies etc..