Also, the two trailing '-' characters are missing in the last MIME
multipart boundary string, (its the same as the one in the
content-type header.)
John
Trying to track the SirCam virus without looking at the body of the
message, we've found a way to track it via headers.
In the header of the message, everything looks dynamic, and so tracking it
seems to be hard. However, there is a slip -- the Date: header actaully
appears as 'date:'.
A cursory examination of thousands of emails from mailing lists, private
sources, and other sources shows that the only messages using the lower
case 'date:' for the header are sent by the SirCam virus.
This may help those of you who want to filter on headers and not on
message body.
--
John Conover Tel. 408.370.2688 conover(_at_)rahul(_dot_)net
631 Lamont Ct. Fax. 408.379.9602 http://www.johncon.com/
Campbell, CA 95008 Cel. 408.772.7733
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail