Re: procmail "solution" against swen
On Tue, Sep 23, 2003 at 12:16:34AM +0200, HdV@DTO.TUDelft.NL wrote:
> On Mon, 22 Sep 2003, christophe barbe wrote:
>
> > It has the merit to be compact but the inconvenient to read the body.
>
> Which is about the only reliable way to filter it.
...
> Not reliable enough for my taste, too much chances of false positives.
...
> This will definitely not catch em all. See below.
...
> This would catch valid messages for sure in my case.
...
> Nope.
>
> Swen composes its subject line from the following words:
I composed the regexp using 200MB of swen mails. I catched them using
debian/sid spamassassin and it's MICROSOFT_EXECUTABLE test. But even if
I have broadband, I wanted to stop them earlier. Earlier meant on a
debian/woody server with an old spamassassin without
MICROSOFT_EXECUTABLE. So far none of the swen mails have been missed by
my procmail rules. Of course the ones without virus still go through.
My current procmail rules contain:
:0:
* -2^0
* 1^0 > 140000
* 1^0 < 165000
* 1^0 ^subject: (undeliverable|undelivered|returned)? ?(mail|message)(:? (returned to (mail|send)er|user unknown))?
* 1^0 ^subject: (new(est)?|latest|last|current)? ?(net(work)?|microsoft|internet)? ?(critical|security)? ?(pack|patch|update|upgrade)
* 1^0 ^subject: (abort|bug|error|failure)? ?(advice|announcement|letter|message|notice|report)
swen-junk
:0
* > 140000
* < 165000
*^subject: *$
{
:0 BD
* b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv
swen-junk
}
Christophe
--
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E
People that hate cats will come back as mice in their next life.
--Faith Resnick
Reply to: