Jeremy C. Reed wrote:
> I am thinking about blocking all messages that contain any data with lines
> starting with:
> 
> ^TVqQAAMA
> ^UEsDBAoAAA
> 
> What do you think?
 >
 > (I understand these mime64 encoded text means it is a
 > Windows executable.)

Jeremy, I think that's pretty cool.

In my Mozilla mail client under Win98, I set up a filter for
message body containing either of those strings, and ran it
on my trash folder, after having deleted your message.
Action is to move the message into a "Probable Virus" folder.

Told the filter to run on the trash folder.

The Probable Virus folder now contains these subject lines:
   Hello   with document.exe attached   TVqQAAMA
   HELLO   with doc.exe    TVqQAAMA
   Test    with data.zip   UEsDBAoAAA
   Returned mail: see transcript for details
       three attachments, including text.zip  UEsDBAoAAA
       which contains text.text.exe
   ERROR   with body.zip   UEsDBAoAAA
   STATUS  with document.zip
   Re: Fwd: FW: New Virus  (Jeremy's posting)
   TEST    with document.zip   UEsDBAoAAA

This one's a keeper!  Of course I'll watch that folder
for any good stuff, but based on this sample (I keep my
trash for about a month, and get lots of it) the test is
virtually 100% accurate.

Note that the ZIP files rely on the user to (a) hide their
file extensions or (b) click on a file named text.text.exe.
I guess that's true of all the non-EXE attachments.

Thanks again.

Vic