era eriksson said at one time:
On Fri, 11 Jun 1999 17:43:51 -0700 (PDT), cueman(_at_)cuenet(_dot_)com wrote:
> You might consider just filtering for 'zipped_files.exe' and
Um, that would have matched on this message I'm quoting, and this one
too. (As would Jerry's original recipe, but I think the question was
how to improve it, not how to dilute it :-)
You are right and that isn't exactly what I meant, my fault for not
being more explicit.
Given this example, I'd try something like
:0B
* I received your email and I shall send you a reply ASAP\.($|[ ])*\
Till then, take a look at the attached zipped docs\.
* ($)($)--.*\
Content-Type:\<*application/.*;\<*name=zipped_files\.exe
| filter or whatever
The second condition tries to look for an attachment boundary followed
by the MIME body part header used in the example I found on Deja.
Probably the Content-type: body part header will always be the first
body part header in a set of headers, but one could allow for
additional non-empty lines between the boundary and the header as a
precaution against mutations. (You could look for the corresponding
Content-disposition: header as well.)
This is more to my point, look of the offensive file where attached
executables are found and not rely on text in the email or 'Subject: '
field.
I have been using John Hardin's:
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
program which just renames .exe files that show up as attachments
so that they are no longer executable. The program also includes
a 'poison' file where you can put the known name of an offensive
executable and the program will scan for everything in the file.
Another message in the same thread from Deja warned against checking
for only application/octet-stream, so I changed that to application/.*
(which again is a bit lax for my taste, but not terribly. You could
even look for simply something like Content-Type:.*zipped_files
[shudder] and not expect too many false matches [and if people send
you attachments with file names such as zipped_files_exe.doc it serves
them right if they get filtered]). The same message also suggests to
look for attachments named prettypark.exe but I don't know if that's a
different virus or a variant of this one.
Great, I just put prettpark.exe in my poison file also!
Thanks ;^)
--Paul T.
--
Windows98 (noun): 32 bit extensions and a graphical shell for a 16 bit
patch to an 8 bit operating system originally coded for a 4 bit
microprocessor, written by a 2 bit company, that can't stand 1 bit of
competition.