[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Filter for W32/Swen@MM

Sven Luther wrote:

> BTW, the attachement is of md5sum b09e26c292759d654633d3c8ed00d18d.
>
> Anyone know of an easy way to filter out emails where a given
> attachement has a particular md5sum ?

I wrote a helpfull Python script this morning and have successfully filtered 
about 60(!) virus mails with it today already.

  http://elonen.iki.fi/code/misc-notes/mpartinfo2hdr/

The program - when a message is piped though it - analyzes mail attachments 
and puts the results in the header...

    X-Msg-Part-Info: attachment; size="106496";
         md5sum="b09e26c292759d654633d3c8ed00d18d";
         claimedmime="audio/x-wav"; name="gvzvfszn.exe";
         guessedmime="application/x-dosexec"

... so that one can write mail reader rules to filter messages with certain 
attachments.  I'm using Kmail myself, with the following rules:

   Add the attachment info to header:

   1) 'To' doesn't equal 'MATCH_FOR_ALL' =>
       'pipe through' '/home/jarno/bin/mpartinfo2hdr'
       DON'T stop if this matches

   Remove certain virus mail:

   2) 'any header' matches regexp
      'X-Msg-Part-Info:.*b09e26c292759d654633d3c8ed00d18d'
      => move to trash

   Move probably virus mail:
   
   3) 'any header' matches regexp
      'X-Msg-Part-Info:.*guessedmime="application.x-dosexec"'
      OR
      'any header' matches regexp
      'X-Msg-Part-Info:.*name="[^"]*\.pif".*'
      => move to folder 'virus'

- Jarno
Reply to: