On 24 Jul, Colin J. Raven wrote:
| Hi All!
| Seems like a new and really destructive virus is making the rounds. [...]
| The constant is the wording in the body of the email itself. In 5 days of
| being hit repeatedly by this thing (almost 2700 emails) I have yet to see
| the wording change;
|
| Hi! How are you?
|
| I send you this file in order to have your advice
|
| See you later. Thanks
|
| [...]
I posted 3 recipes yesterday under the Subject thread "Filter virus".
They can be seen at:
http://www.xray.mpe.mpg.de/mailing-lists/procmail/2001-07/msg00322.html
Note: I also followed up with my own errata pointing out that the "c"
flag should *not* be on the recipes.
They are basically the same as Chris Lindsey's response a bit ago, but a
little more comprehensive. For one, they did not catch your original
message because the procmail list is excluded. (I usually process list
mail first, but I've gotten at least a couple dozen of these through a
list.) I considered the procmail list to be the only place I'd care to
see a message containing these lines. If you have others, you can add
them as appropriate.
There are 3 recipes becuase your assumption about this only taking one
form is incorrect. I have seen a handful of Spanish versions. (When I
posted yeterday, I had just added the Spanish recipe but hadn't seen it
work. I have since then, so that's another plus.) I also saw a report
that there was a couple other variations of the body. I haven't seen
them myself nor had any confirmation, but the 3rd recipe covers them.
Obviosuly others might think twice before implementing that recipe,
though I'm not sure what the harm would be. The only weakness I can
think of is the body of the messages is double spaced and I don't allow
for that. The chances of a false positive seem slim to me, and the cost
non-existent. (Chris's looks like it would match the double spacing,
but would also allow any other text to be interspersed as well as so it
still doesn't guarantee no false positives.)
Last note: my body searches are intentionally not anchored to the
beginning of the line. This is to catch (which it has) the brain-dead
responses which are off-topic (e.g. get this guy of the list, and
quoting the message again). For me this is a feature, but someone else
may choose to anchor the expressions.
--
/"\
Don Hammond \ / ASCII Ribbon Campaign
Raleigh, NC US X Against HTML Mail,
/ \ and News Too
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail