on Wed, Nov 19, 2003 at 06:42:40AM +0800, David Palmer (davidpalmer@westnet.com.au) wrote:
> Hello,
>
> Just saw this in Eweek, so I thought that I would forward it to the
> list.
>
> http://www.eweek.com/article2/0,4149,1383915,00.asp
Since nobody in their right mind whom I don't already know would send me
a MSFT executable, procmail rules...
"chkmail" comes from the 'spamfilter' package.
Two methods. Take your pick.
By MIME-encoded signature:
------------------------------------------------------------------------
# Win32 executables (viruses and any other attachment)
# Wed Sep 24 21:09:03 BST 2003
:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAMAAAAEAAAA//8AALg
* 4fug4AtAnNIbg
{
LOG="LOG: [virus: win32 exe] "
:0
Virus/
}
------------------------------------------------------------------------
By extension:
------------------------------------------------------------------------
WINDOWS_EXECUTABLE_EXT="(ADE|ADP|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DLL|DO.|EXE|HLP
|HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|OCX|PCD|PIF|POT|PPT|REG|
SCR|SCT|SHB|SHS|SYS|SYS|URL|VB|VBE|VBS|WSC|WSF|WSH|XL.)"
:0B
* ^Content-Type: .*; name=.*\.$WINDOWS_EXECUTABLE_EXT['"]*
{
:0c
| ! chkmail --header "From|Sender" $WHITELIST
:0a
{
LOG="LOG: (Virus!: MSFT executable"
# Train spamassassin
:0c
| sa-learn --spam --single
:0:
Virus/
}
------------------------------------------------------------------------
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
http://sco.iwethey.org/
Attachment:
pgpnXuFhPKh1Z.pgp
Description: PGP signature