On 24 Jul, Kip Turk wrote:
| On Tue, 24 Jul 2001, i l i a n a f i l b y wrote:
|
| > I poked at Don Hammond's sugguestion and came up with the following.
| > Comments & suggestions are very welcome.
| >
| > ############################################################
| >
| > # SirCam protection
| >
| > :0 H
| > * ! ^X-BeenThere: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
| > * B ?? Hi\! How are you\?
| > * B ?? I send you this file in order to have your advice
| > * B ?? See you later. Thanks
| > * B ?? Hola como estas *\?
| > * B ?? Te mando este archivo para que me des tu punto de vista
| > * B ?? Nos vemos pronto, gracias\.
| > * B ?? Hi\! How are you\?
| > * 1^0 B ?? I send you this file in order to have your advice
| > * 1^0 B ?? I hope you like the file that I send( t)?o you
| > * 1^0 B ?? This is the file with the information that you ask for
| > * B ?? See you later. Thanks
| >
| > {
| > LOG='REJECT - SirCam'
| >
| > :0
| > /var/tmp/SirCam-quarantine
| > }
| > ###########################################################
| >
|
| I also added a check to verify the attachment existed. Some of my users
| are sending around full blown HTML versions of the mcafee/norton pages
| giving details on the virus. These contain the body as the virus within
| the page, and I see no reason to hinder the imparting of clues, even if it
| is HTML infested.
|
| * ^Content-Type:.*(multipart|attachment)
|
That then make sense. In my case, I don't want to see any hints of it,
except on this list -- and maybe soon not even here. ;-)
But getting back to Iliana's recipe... It won't work. Each of the
non-scored conditions will have to match, and they won't. You won't see
(or at least I seriously doubt it) both Spanish and English in the same
message. So Iliana needs to use scoring with each of the body conditions
(i.e. those beginning "* B ??") to make this work as one recipe. Then,
to insist that 3 of these lines be present, subtract 2 from the final
score.:
:0 H
# * ^Content-Type:.*(multipart|attachment) # uncomment if desired
* ! ^X-BeenThere: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
* 1^0 B ?? Hi\! How are you(\?|=3F)
* 1^0 B ?? I send you this file in order to have your advice
* 1^0 B ?? See you later(\.|=2E) Thanks
* 1^0 B ?? Hola como estas *\?
* 1^0 B ?? Te mando este archivo para que me des tu punto de vista
* 1^0 B ?? Nos vemos pronto, gracias\.
* 1^0 B ?? I hope you like the file that I send( t)?o you
* 1^0 B ?? This is the file with the information that you ask for
* -2^0
{ Do whatever floats your boat here }
I've eliminated the duplicate conditions and also taken the liberty of
adding protectiion against the (Outlook?) encoding issue I saw with the
period and question mark. It should probably be done on the Spanish
lines also, but I haven't seen that so that's up to anybody else. This
still isn't perfect because you could have English and Spanish
interspersed in the same message and it probably wouldn't be this worm.
But the chances of that seem small enough to be discounted, and the
moron that sends that message doesn't deserve to have it read anyway.
Lastly, I'll remind Iliana and anyone else considering this recipe that
it will plonk anything (not on this list) with these lines in the body,
including people responding to and quoting the original message. That,
for me was a feature. If it's not for you, then anchor each of the body
conditions to the beginning of the line with a "^", for example:
* 1^0 B ?? ^Hi\! How are you\?).
This probably lowers the risk of false positives somehat, but doesn't
eliminate it. But ask yourself, what are the chances a message shows up
that matches this recipe and isn't the worm. Then ask yourself why it
showed up, and whether the sender is that moron...
--
/"\
Don Hammond \ / ASCII Ribbon Campaign
Raleigh, NC US X Against HTML Mail,
/ \ and News Too
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail