procmail
[Top] [All Lists]

Re: bugbear filtering

2002-10-04 06:38:48
On  4 Oct, Michael Moritz wrote:
| [...]
| 
| :0 D
| *Content-Transfer-Encoding: base64
| *TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA
| *AEAAAAAAAAAAAAAAAAAABAAADgLnJzcmMA
| /var/mail/junk
| 
| [...]

Sean's already pointed out that the list archives have plenty of
discussion of Klez (bugbear?) recipes. I want to point out that your
recipe won't work.  Procmail scans headers only by default, so you have
to tell it when you want to scan the body. It's unlikely to find
matches for the last 2 conditions in the headers, and if it does
it's probably not what you think it is. ;-)  Add  "BH" flags along with
the "D" (unless you only care about Content-Transfer-Encoding in the
body, in which case add "B" only).

Also, I don't think the "D" flag is necessary, and may let some messages
through. Although it is probably technically correct for the two body
conditions to be case sensitive, the odds of a message matching on
everything BUT case is infinitesimal.  OTOH, it is possible for the
Content-Transfer-Encoding to have different case. I've got a bunch of
Content-transfer-encoding in my captured viruses.

-- 
Reply to list please, or append "8" to "procmail" in address if you must.
Spammers' unrelenting address harvesting forces me to this...reluctantly.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>