Filter for W32/Swen@MM
Sven Luther wrote:
> BTW, the attachement is of md5sum b09e26c292759d654633d3c8ed00d18d.
>
> Anyone know of an easy way to filter out emails where a given
> attachement has a particular md5sum ?
I wrote a helpfull Python script this morning and have successfully filtered
about 60(!) virus mails with it today already.
http://elonen.iki.fi/code/misc-notes/mpartinfo2hdr/
The program - when a message is piped though it - analyzes mail attachments
and puts the results in the header...
X-Msg-Part-Info: attachment; size="106496";
md5sum="b09e26c292759d654633d3c8ed00d18d";
claimedmime="audio/x-wav"; name="gvzvfszn.exe";
guessedmime="application/x-dosexec"
... so that one can write mail reader rules to filter messages with certain
attachments. I'm using Kmail myself, with the following rules:
Add the attachment info to header:
1) 'To' doesn't equal 'MATCH_FOR_ALL' =>
'pipe through' '/home/jarno/bin/mpartinfo2hdr'
DON'T stop if this matches
Remove certain virus mail:
2) 'any header' matches regexp
'X-Msg-Part-Info:.*b09e26c292759d654633d3c8ed00d18d'
=> move to trash
Move probably virus mail:
3) 'any header' matches regexp
'X-Msg-Part-Info:.*guessedmime="application.x-dosexec"'
OR
'any header' matches regexp
'X-Msg-Part-Info:.*name="[^"]*\.pif".*'
=> move to folder 'virus'
- Jarno
Reply to: