Re: Procmail virus recipies (was Re: Mimail Virus.)
On Wed, 19 Nov 2003 11:58:05 -0800
"Karsten M. Self" <kmself@ix.netcom.com> wrote:
> on Wed, Nov 19, 2003 at 06:42:40AM +0800, David Palmer (davidpalmer@westnet.com.au) wrote:
> > Hello,
> >
> > Just saw this in Eweek, so I thought that I would forward it to the
> > list.
> >
> > http://www.eweek.com/article2/0,4149,1383915,00.asp
>
> Since nobody in their right mind whom I don't already know would send me
> a MSFT executable, procmail rules...
>
> "chkmail" comes from the 'spamfilter' package.
>
> Two methods. Take your pick.
>
>
> By MIME-encoded signature:
>
> ------------------------------------------------------------------------
> # Win32 executables (viruses and any other attachment)
> # Wed Sep 24 21:09:03 BST 2003
> :0 B
> * ^Content-Transfer-Encoding:.*base64
> * ^TVqQAAMAAAAEAAAA//8AALg
> * 4fug4AtAnNIbg
> {
> LOG="LOG: [virus: win32 exe] "
>
> :0
> Virus/
> }
> ------------------------------------------------------------------------
>
>
>
> By extension:
>
> ------------------------------------------------------------------------
> WINDOWS_EXECUTABLE_EXT="(ADE|ADP|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DLL|DO.|EXE|HLP
> |HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|OCX|PCD|PIF|POT|PPT|REG|
> SCR|SCT|SHB|SHS|SYS|SYS|URL|VB|VBE|VBS|WSC|WSF|WSH|XL.)"
>
>
> :0B
> * ^Content-Type: .*; name=.*\.$WINDOWS_EXECUTABLE_EXT['"]*
> {
>
> :0c
> | ! chkmail --header "From|Sender" $WHITELIST
>
> :0a
> {
> LOG="LOG: (Virus!: MSFT executable"
>
> # Train spamassassin
> :0c
> | sa-learn --spam --single
>
> :0:
> Virus/
>
> }
> ------------------------------------------------------------------------
>
>
> Peace.
>
Thankyou.
Regards,
David.
http://www.ctheory.net/text_file.asp?pick=402
Reply to: