On 25 Jul, Christopher P. Lindsey wrote:
| > What code is needed for this?
|
| Ummm, I wouldn't risk filtering soley on this condition.
|
| [...]
|
| So it's quite likely that you could be blocking other fully-compliant
| messages that aren't virus-laden.
|
| [...]
|
| > > A cursory examination of thousands of emails from mailing lists, private
| > > sources, and other sources shows that the only messages using the lower
| > > case 'date:' for the header are sent by the SirCam virus.
I responded to this post on the incidents list at security focus. This
analysis *may* indicate there won't be any false positives matching for
"date:" in practice, though Chris correctly points out the danger. But
it says nothing for false negatives. The only one of these I've received
directly with a payload had a "normal" Date: header. When filtering for
a virus, I can tolerate a false positive or two. But one false negative
defeats the whole purpose. This might be useful as part of a more
complex heuristic, but I don't personally think that's even necessary. I
know it's not for me. And it should not be relied on alone. It
absolutely will not work.
--
/"\
Don Hammond \ / ASCII Ribbon Campaign
Raleigh, NC US X Against HTML Mail,
/ \ and News Too
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail