On Tue, 19 Aug 2003, Klaus Johannes Rusch wrote:
linux303 wrote:
Because the Sobig.F Worm is about 72K in size, would this work?
:0 B
* > 73000
* < 75000
* [.pif|.scr]
/var/log/quarantine
Sobig.F has some special characteristics which you should check also:
:0 BH
* ^X-MailScanner: Found to be clean
* ^X-Mailer: Microsoft Outlook
* filename="[a-z0-9]\.pif"
I spent some time coming up with a specific signature today, so
combining that with the size (which based on the 1200+ examples I've
got has a floor of closer to 98000), here's what I would use:
:0:
* < 90000 # Just to be safe
*
^VDvdKcYWznRbLRPadQ+V576YUs6FwBGGrYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A$
SOME_FOLDER
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew(_at_)shanew(_dot_)net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail