procmail
[Top] [All Lists]

Re: bugbear filtering

2002-10-04 10:36:34
On Friday, Oct 4, 2002, at 07:39 Canada/Mountain, Michael Moritz wrote:
Thanks to both of you - I looked through the list archive and found this one:

# Klez (from Bart Schaefer on procmail list 20020427)
:0EB
* > 50000
* ^Content-Type:[       ]*(audio/x-|application)
* 1^0 ()<i?frame[       ]*src=(3d)?cid:
* 1^0 ^--[^ ]+$$Content-
* 1^0 ^--[^ ]+$--[^ ]+$
/var/mail/junk

What I use (I didn't write it, found it in archives):

# Trap Klez (signature as of 04/26/2002)
:0
* > 10000
* ^Content-Type:.*multipart/alternative;
{
        :0 B hfi
* \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
        * ^Content-Type:.*audio/
        * ^TVqQAAMAAAAEAAAA
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped possible Klez worm - see http://securityrespon
se.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html"

        :0 B E hfi
        * ^Content-Type:.*application/octet-stream
        * ^Content-Transfer-Encoding: base64
        * ^TVqQAAMAAAAEAAAA
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped possible Klez worm - see http://securityrespon
se.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html"
}


although I think that

:0
* > 50000
{
        :0B
        * Content-Type:[       ]*(audio/x-|application)
        /dev/null
}

would suffice since I think anyone sending a wav in an email should be shot out of a cannon

--
We can defeat gravity.  The problem is the paperwork involved.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>