At 10:30 2003-08-21 +0200, Fredrik Rodland wrote:
YAVR catches a lot of worms (now updated with sobig.f).
I'm rather happy with the results of a generic executable filter. In this
day and age, there's no reason good enough to necessitate transmitting
attachments in an executable state (the sole exception would be an SFX
unpacker, but frankly, if someone REALLY needed to email you one, they
could change the file extension completely, and direct you to manually
change it back - thus adding a level of deliberate action to the process).
Scanning bodies - especially large ones - for 31 different strings - and
trust me, every one of these strings is going to be searched for, even if
the first handful of them causes the score to be elevated above the
compensation value, and since there's no upper limit to the message size,
this WILL search every message, including those ever-popular MPEG video
files, etc.
To be honest, I haven't run your filter (seeing as the generic executable
filter I already have in place catches the viruses and worms just fine),
but unless something from the first batch of conditions is always expected
to match (or conditions outside of the individual variants dp), then a
batch of 5 200 weight conditions is only going to bring the score to ...
1000. The math:
-1000
+1000
= 0
which won't trigger the recipe, since you need a positive score to do that.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail