From: Kari Hurtta (hurtta+)
Date: Thu Aug 02 2001 - 02:42:36 EDT
[ This no longer match to subject of this mailing list. Sorry. ]
> > And for that particular worm there's no need to match the body :
> > /etc/procmailrc :
> > :0
> > * ^ Content-Disposition: Multipart message
> > /var/log/spam/sircam
> >
> > The Content-Disposition: Multipart message is incorrect. No false-positive
> > in more than one week on an university server.
>
> Right, but you don't get them all; in yesterday's mail,
>
> 3,521 match on body (first line of encoded virus)
> TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAA
How uniqueu that is? (Or perhaps it is good idea to block all (or most) MS
Windows excutables :-))
> 2,785 match on header
> Content-Disposition: Multipart message
>
> Also seen: 'Content-disposition: Multipartmessage' (several),
> 'Content-Disposition: MULTIPART' (one), no Content-disposition header,
> and bounces with the virus message inside them as a mime part.
If everyone block (bounces) viruses from incoming bounces with the virus
message inside, that will create nice bounce loop.
--
/"\ | Kari
\ / ASCII Ribbon Campaign | Hurtta
X Against HTML Mail |
/ \ |
|
|
|