On Friday, Oct 4, 2002, at 07:39 Canada/Mountain, Michael Moritz wrote:
Thanks to both of you - I looked through the list archive and found
this one:
# Klez (from Bart Schaefer on procmail list 20020427)
:0EB
* > 50000
* ^Content-Type:[ ]*(audio/x-|application)
* 1^0 ()<i?frame[ ]*src=(3d)?cid:
* 1^0 ^--[^ ]+$$Content-
* 1^0 ^--[^ ]+$--[^ ]+$
/var/mail/junk
What I use (I didn't write it, found it in archives):
# Trap Klez (signature as of 04/26/2002)
:0
* > 10000
* ^Content-Type:.*multipart/alternative;
{
:0 B hfi
* \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9]
+width=(3D)?[0-9]>
* ^Content-Type:.*audio/
* ^TVqQAAMAAAAEAAAA
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
possible Klez worm - see http://securityrespon
se.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html"
:0 B E hfi
* ^Content-Type:.*application/octet-stream
* ^Content-Transfer-Encoding: base64
* ^TVqQAAMAAAAEAAAA
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
possible Klez worm - see http://securityrespon
se.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html"
}
although I think that
:0
* > 50000
{
:0B
* Content-Type:[ ]*(audio/x-|application)
/dev/null
}
would suffice since I think anyone sending a wav in an email should be
shot out of a cannon
--
We can defeat gravity. The problem is the paperwork involved.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail