IMHO I don't think a filter that matches subject line is a good thing to
pursue.
With all the script kiddies out there changing the subject line and the name of
the attachment, you will be changing code on an hourly basis.
The better way to attack this problem is to search the email headers and body
for the string ".vbs". Windows is so extension centric, that it can't run a
visual basic script file unless the file name ends in ".vbs". With a filter
like
this in place, you won't have to alter your filter code every time someone
invents a new subject line.
--Roy Stewart
rstewart(_at_)glatmos(_dot_)com
Date: Wed, 10 May 2000 01:25:59 -0700 (PDT)
From: John Gianni <john(_at_)cadence(_dot_)com>
To: procmail(_at_)informatik(_dot_)rwth-aachen(_dot_)de
Subject: Please pick apart this love-bug anti-virus filter
I hacked together this love-bug anti-virus filter based only on information
I had at hand on the antigenic variants (based on subject lines).
My request to procmail(_at_)Informatik(_dot_)RWTH-Aachen(_dot_)DE is to
please pick apart
this filter -- be brutal -- so that we all can benefit from the (vastly I
hope)
improved results.
QUESTION: What is the best way to limit the lines to 80-columns long?
QUESTION: Can it be assumed that all mail will be from IMS clients?
QUESTION: How can we search the visual-basic script itself for keywords?
Thanks,
john(_at_)cadence(_dot_)com
#
#############################################################################
# Begin: rc.vaccine (preliminary love-bug-elimination filter)
#
#############################################################################
:0:
* ^Subject: (ILOVEYOU|fwd: Joke|Susitikim shi vakara kavos puodukui|
Mothers Day Order Confirmation|Dangerous Virus Warning|
Virus ALERT!!! Message Body:|Important! Read carefully!!|Variant Test|
Yeah, Yeah another time to DEATH|hehe...check this out|Bewerbung Kreolina)
* X-Mailer:.*Internet Mail Service
* ! ^Subject:.*Re:
IN.vaccine