procmail
[Top] [All Lists]

Re: Sircam virus answer

2001-07-25 16:56:01
What code is needed for this?

Ummm, I wouldn't risk filtering soley on this condition.

From RFC822:

   When matching any other syntactic unit, case is to be ignored.
   For  example, the field-names "From", "FROM", "from", and even
   "FroM" are semantically equal and should all be treated ident-
   ically.         

   When generating these units, any mix of upper and  lower  case
   alphabetic  characters  may  be  used.  The case shown in this
   specification is suggested for message-creating processes.

So it's quite likely that you could be blocking other fully-compliant
messages that aren't virus-laden.

If you want to try anyway, you can add it as a condition in 
procmail:

   :0D
   * ^date: .*
   /dev/null

Ideally, you'd just use it as a precondition to speed things up (since
you're initially checking the headers and not the body):

   :0D
   * ^date:
   * B ?? ^Hi! How are you(\?|=3F)$.*$(I send you this file in order to have 
your advice|I hope you like the file that I sendo you|I hope you can help me 
with this file that I send|This is the file with the information you ask 
for)$.*$See you later(\.|=2E) Thanks
   /dev/null

I'm not how to do it with the MTA; sendmail's Check_Subject rulesets
aren't case sensitive.  Perhaps another MTA could do it so that the
delivery payload isn't involved?

Chris

A cursory examination of thousands of emails from mailing lists, private
sources, and other sources shows that the only messages using the lower
case 'date:' for the header are sent by the SirCam virus.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>