Hi all,
This work fine in procmail, to much mail was filtred with this, but, I see
that there are other mail with hist virus that can enter, I beleive there
are other variants of this virus.
Thanks in advanced,
Regards,
From: Bart Schaefer <schaefer(_at_)zanshin(_dot_)com>
To: Luz Lopez <viaris(_at_)hotmail(_dot_)com>
CC: procmail(_at_)Lists(_dot_)RWTH-Aachen(_dot_)DE
Subject: Re: How to eliminate virus W32/Klez(_at_)mm
Date: Fri, 19 Apr 2002 08:52:10 -0700 (PDT)
On Fri, 19 Apr 2002, Luz Lopez wrote:
> I want to use procmail to filter virus, I have a procmailrc working with
> sendmail, but I Have'nt idea how can I to filter the virus W32/Klez(_at_)mm?
I believe the procmail sanitizer would catch it because it uses a .pif
file for its payload.
http://www.impsec.org/email-tools/procmail-security.html
However, here's the simple procmail rule I'm using for it (as shown, this
dumps it in a folder named "virus"):
:0 Bh
* > 50000
* ^Content-Type:[ ]*(audio/x-|application)
* 1^0 ()<i?frame[ ]*src=(3d)?cid:
* 1^0 ^--[^ ]+$$Content-
virus
The '$$Content-' rule is really the magic one -- Klez sends broken MIME
format with an extra blank line between one of the bodypart separators
and the embedded Content- header. The $$ there matches two consecutive
newlines.
You could probably go with > 200000 in the first test if you wanted to,
the Klez messages always seem to be about 260k.
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail