[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Filter for W32/Swen@MM, was Re: Virus emails



Jarno Elonen <elonen@iki.fi> wrote, "I wrote a helpfull Python script
this morning and have successfully filtered about 60(!) virus mails with
it today already.  http://elonen.iki.fi/code/misc-notes/mpartinfo2hdr/";

It's a neat little program, testing for the true file-type sent.  For an
individual user without access to something like Amavisd-new, it's a
valuable little script.  However, for 90% of the viruses and spam out
there, some simple procmail scripting would be good enough.  e.g.

	# Example killfile
	:0 HB
	# Initial Score
	* -99^0

	# Attachments -- Viruses & spam are often HTML pages.
	# They may embed "wav" or some such in the mime type, but
	# usually viruses have an executable M$ extension, they still
	# have the executable attachment suffix.
	*  50^1 ^Content-Type.*(html|word|excel|zip-compressed|x-msdownload)
	*  20^1 ^Content-Type.*(gif|jpe?g)
	*  50^1 ^Content-Type.*(wav|mpe?g|avi|vid|ram)
	*  75^1 ^Content-Type.*(exe|scr|pif|bat|com|vbs)
	
	# Some spam and viruses exclude headers 
	*  20^0 ! ^From:
	*  20^0 ! ^To:
	*  20^0 ! ^Subject:

	# Well known virus headers
	*  75^1 ^From.*big@boss

	# Don't feed the trolls
	*  20^1 ^From:.*troll@underbridge\.net

	# Thread killing -- effective when paired w/trolls
	*  80^1 ^Subject:.*Stupid Thread  
	{
		LOG="X-Kill-Score: $=
"
		# Deliver to the Great BitBucket
		:0
		/dev/null
	}


-- 
Chad Walstrom <chewie@wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

Attachment: pgpxYpKuvh5eb.pgp
Description: PGP signature


Reply to: