When there are waves of viruses as the one you are being, most of the times some of the infected emails will be stopped by SpamFilter even before they are scanned by the antivirus. This happens as other filters will detect the malicious emails based on the IP and/or email address of the sender.
In this case, you can easily use SpamFilter's quarantine to search for these emails. You are looking for emails in the quarantine that have a .zip attachment. To do so, you can use this query against the database:
SELECT TOP (100) tblMsgs.MsgID, tblQuarantine.MsgDate, tblRejectCodes.RejectID, tblRejectCodes.RejectDesc, tblQuarantine.RejectDetails,
tblQuarantine.QuarID, tblQuarantine.EmailFrom, tblQuarantine.Subject, tblMsgs.Msg
FROM tblRejectCodes INNER JOIN
tblQuarantine ON tblRejectCodes.RejectID = tblQuarantine.RejectID INNER JOIN
tblContentType ON tblQuarantine.MsgID = tblContentType.MsgID INNER JOIN
tblMsgs ON tblContentType.MsgID = tblMsgs.MsgID
WHERE (DATEDIFF(hour, tblQuarantine.MsgDate, GETDATE()) < 24) AND
( (tblMsgs.Msg LIKE N'%application/zip%') OR (tblMsgs.Msg LIKE N'%application/x-zip-compressed%') )
ORDER BY tblMsgs.MsgID DESC
It will look for all emails blocked within the past 24 hours and which have either application/zip or application/x-zip-compressed in their body (indicating a compressed attachment).
It may be a bit hard to get the actual message itself from the result set, so I've prepared a set of .asp pages you can use to run this query and click on a link to then download the .eml attachment:
http://www.logsat.com/SpamFilter/pub/SpamFilterBlockedZIPs.zip
To adapt to your environment simply change the path to the correct .UDL file defining your database connection in the file db_connect.asp.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|