On Thu, 2004-01-29 at 20:06, Eliot, GLI wireless tech support wrote: > Has anyone come up with a ruleset for classifying a random TCP or > specific SMTP connection as being the W32/MyDoom.A virus? <<snip>> > Anyone have any ideas how to do this without too many false positives? > (IE a document on the web that describes the characteristics of > MyDoom.A). Since it spreads via SMTP from clients and not servers, why not just block all smtp traffic outbound to the internet from your client machines, and only allow your mail server to send smtp mail? Of course you would need a decent anti-virus program on the mail server. The other way you could possibly do this is by using a string match to look inside any smtp packets for matches of the attachment names(?). -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
