Re: How to eliminate virus W32/Klez(_at_)mm

Hi all,

This work fine in procmail, to much mail was filtred with this, but, I see 
that there are other mail with hist virus that can enter, I beleive there 
are other variants of this virus.
Thanks in advanced,

Regards,

> From: Bart Schaefer <schaefer(_at_)zanshin(_dot_)com>
> To: Luz Lopez <viaris(_at_)hotmail(_dot_)com>
> CC: procmail(_at_)Lists(_dot_)RWTH-Aachen(_dot_)DE
> Subject: Re: How to eliminate virus W32/Klez(_at_)mm
> Date: Fri, 19 Apr 2002 08:52:10 -0700 (PDT)
>
> On Fri, 19 Apr 2002, Luz Lopez wrote:
>
> > I want to use procmail to filter virus, I have a procmailrc working with
> > sendmail, but I Have'nt idea how can I to filter the virus W32/Klez(_at_)mm?
>
> I believe the procmail sanitizer would catch it because it uses a .pif
> file for its payload.
>         http://www.impsec.org/email-tools/procmail-security.html
>
> However, here's the simple procmail rule I'm using for it (as shown, this
> dumps it in a folder named "virus"):
>
> :0 Bh
> * > 50000
> * ^Content-Type:[        ]*(audio/x-|application)
> * 1^0 ()<i?frame[        ]*src=(3d)?cid:
> * 1^0 ^--[^ ]+$$Content-
> virus
>
> The '$$Content-' rule is really the magic one -- Klez sends broken MIME
> format with an extra blank line between one of the bodypart separators
> and the embedded Content- header.  The $$ there matches two consecutive
> newlines.
>
> You could probably go with > 200000 in the first test if you wanted to,
> the Klez messages always seem to be about 260k.

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail