Thanks to both of you - I looked through the list archive and found this one:
# Klez (from Bart Schaefer on procmail list 20020427)
:0EB
* > 50000
* ^Content-Type:[ ]*(audio/x-|application)
* 1^0 ()<i?frame[ ]*src=(3d)?cid:
* 1^0 ^--[^ ]+$$Content-
* 1^0 ^--[^ ]+$--[^ ]+$
/var/mail/junk
The problem is that it filtered this message among some real virus ones:
[ Part 1, Text/HTML 4 lines. ]
[ Not Shown. Use the "V" command to view or save this part. ]
[ Part 2, Audio/X-WAV 127KB. ]
[ Cannot play this part. Press "V" then "S" to save in a file. ]
[ Part 4, Application/OCTET-STREAM (Name: "signup") 1.4KB. ]
[ Cannot display this part. Press "V" then "S" to save in a file. ]
I checked the attachments - they are okay file though it may seem stupid to
send X-WAV files these days..
mm
10/4/02 2:23:56 PM, Don Hammond <procmail(_at_)tradersdata(_dot_)com> wrote:
discussion of Klez (bugbear?) recipes. I want to point out that your
recipe won't work. Procmail scans headers only by default, so you have
Overnight it caught 500 messages - not a single one was misidentified (but
maybe I changed some bits in the meanwhile
and lost the goods ones:)
How would I make one line case sensitive and the others not? (I know RTFM)
mm
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail