|
Re: malware email - Sobig
|
espr-@e-scape.net
|
Oct 25, 2003 14:24 PDT
|
At 06:08 -0400 2003/10/23, jsampson+indexes wrote:
| | The ones coming here have all had '.zlo' file endings. I don't know what
legitimate application uses/produces files with that ending. If I had a
filter that zapped email with '.zlo' attachments I would have my answer.
|
Depending on your e-mail client, you might well be able to make
such a filter.
In Eudora 3.1.3 for Mac, it's a matter of going to "Filters",
clicking "New", then "Incoming". Under "Header", choose "Body" from
the drop-down list and in the "Contains" field type ".zlo".
Then under "Actions", choose "Transfer to" and select the "Trash"
mailbox. All incoming messages with ".zlo" in them will be
streamed directly into the Trash.
The only problem, as I hinted before, is that the filter will
also discard any legitimate messages with ".zlo" in the contents.
If you're likely to get them from legitimate sources, you'll
need to check the "Trash" mailbox yourself before emptying it.
You can make similar filters to catch ".scr", ".exe", ".bat",
".pif" and ".vbs" files which you probably won't be getting from
legitimate sources. The problem is that you probably can't do
the same for ".htm" files which can also carry infections.
| | But in any case, when would a legitimate 'bounce' notification have an
attachment?
|
In fact, most 'bounce' messages contain whatever original message
they couldn't deliver. If that contained an attachment, so would
the non-delivery notice. Since so many people routinely send
e-mail with attachments, they might well open such a 'bounce' to
see which of their messages miscarried and, if working unprotected,
be infected by the phoney 'bounce'. Other 'bounce' messages come
from ISPs whose autoresponders just reply to the address in the
"From:" field instead of looking for the real origin of the
message.
Philip Gardner <philip.-@asgardpublishing.co.uk>
| | That sounds as though Zone Alarm has 'quarantined' the attachment by
changing its file extension. I recently had an .msi file that ZA
renamed to .zlk. Try Zone Alarm help for how to change it back again,
assuming that you want to - which you almost certainly don't!
|
The quarantine method of changing an extension turns the
attachment from executable to non-executable, which is good.
If ZoneAlarm is doing this for you on the way in, all you need
to do is discard the .zlo files: 99% of the time, they will not be
anything you need, and it wouldn't be safe to open them anyhow
unless you do so with a text editor instead of by clicking and
letting Windows do its thing.
Regards,
Judyth
##########################################################
Judyth Mermelstein "cogito ergo lego ergo cogito..."
Montreal, QC <espr-@e-scape.net>
##########################################################
"A word to the wise is sufficient. For others, use more."
"Un mot suffit aux sages; pour les autres, il en faut plus."
##########################################################
|
|
 |
|
