Re: IL0VEY0U has mutated

"John D. Hardin" <jhardin(_at_)wolfenet(_dot_)com> writes:

On Fri, 5 May 2000, Lars Hecking wrote:

 I am not sure whether this will work if the Content* header
 is spread over several lines.


That's one reason I recommend my sanitizer. Procmail does *not* unwrap
MIME headers in the body, so it's trivially easy to defeat roules like
this in a regular procmail script. F'rinstance:

 Content-Type: 
   application/octet-stream;
   name = 
   "YetAnotherVariant.TXT.vbs"


Hmm, my previous post allowed for the Content-* header to cover multiple
lines but it didn't allow whitespace after the '='.  Here's a corrected
condition:

        * B ?? ^Content-[-a-z0-9_]+:.*($[       ].*)*=[  ]*($[  ]+)*"?\
                [^"]*\.(vb[se]|ws[fh]|hta)


Philip Guenther

<Prev in Thread]	Current Thread	[Next in Thread>
Re: IL0VEY0U has mutated, (continued) Re: IL0VEY0U has mutated, Jerry Preeper Re: IL0VEY0U has mutated, Philip Guenther Re: IL0VEY0U has mutated, Christopher Lindsey Re: IL0VEY0U has mutated, John D. Hardin Re: IL0VEY0U has mutated, Lars Hecking Re: IL0VEY0U has mutated, Roberto Ullfig Re: IL0VEY0U has mutated, Roberto Ullfig Re: IL0VEY0U has mutated, ino-waiting Re: IL0VEY0U has mutated, Liviu Daia Re: IL0VEY0U has mutated, John D. Hardin Re: IL0VEY0U has mutated, Philip Guenther <= Re: IL0VEY0U has mutated, Bennett Todd Re: IL0VEY0U has mutated, Aaron Schrab The ILOVEYOU Virus......., Ian Chilton Re: The ILOVEYOU Virus......., ino-waiting

Previous by Date:	RE: mkdir, Dallman Ross
Next by Date:	INCLUDERC, Lee Howard
Previous by Thread:	Re: IL0VEY0U has mutated, John D. Hardin
Next by Thread:	Re: IL0VEY0U has mutated, Bennett Todd
Indexes:	[Date] [Thread] [Top] [All Lists]