A reasonably good Content-Type: check-before the body is searched-is:
* ^content-type:[ ]*($[
]+)*(multipart/(mixed|alternative|application|signed|encrypted))|(application/)
where the two characters in brackets are a tab, (hex 09,) followed by
a space, (hex 20); and use an :0 E construct to search the body if
that fails. Its a quick check, (and does not include all
possibilities-but catches most,) to preclude searching the body.
Since base64 encoding raises the information entropy, it is not
necessary to search for the entire first record. Since base64 uses
[0-9A-Za-z], or a total of 62 characters; searching only the first 7
characters will give a false positive of 3 in a trillion, (i.e.,
62^7.)
Further, as pointed out elsewhere by David Tamkin, a construct for
searching the body for multiple virii would be like:
:0:
* 2147483647^0 ^keychars1
* 2147483647^0 ^keychars2
* 2147483647^0 ^keychars3
* 2147483647^0 ^keychars4
.
.
.
virii
where the most prolific virus has a signature of ^keychars1, (probably
^tvqqaam for Nimda these days,) and so on-so that as soon as any virus
is found, it does no more searching, (see the bottom of man procmailsc
for details.)
There is probably a way of only searching the first 100, or so, lines
of the body, too, which would speed things up substantially.
John
BTW, the existence of the MIME headers, (MIME-Version:, and
Content-Type:) can be used to further reduce the search-if they don't
exist, the message is not Mime; but some implementations do not adhere
to the standard, even though the RFC requires it. Not to mention any
names, of course.
kremels(_at_)kreme(_dot_)com writes:
On Mon, 25-Nov-2002, at 15:09:49 -0700, James Clark wrote:
On Mon, Nov 25, 2002 at 02:24:27PM -0600, scott.list wrote:
Does anyone have a recipe for handling the W32(_dot_)Klez(_dot_)H(_at_)mm
virus? I've
This should help.
##KLEZ WORM PROCMAIL FILTER - COURTESY OF WWW.SHOVE-IT.COM
:0 B:
*
^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCI
tE$
klez
The drawback to this is it means the body of every single message gets
checked.
This is unecessary since you can check against the content-type and
various other headers before doing the expensive body check.
Is there a way to filter out non-english messages using procmail?
Content-Type is your friend.
--
The Piper's calling you to join him
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
--
John Conover, conover(_at_)rahul(_dot_)net, http://www.rahul.net/~conover
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail