I've had success using this recipe:
:0HBw
* > 70000
* < 120000
* ^Subject: [Re: Re: Thank you!|Re: Thank you!|Thank you!|Your details|Re:
Details|Re: Re: My details|Re: Approved|Re: Your application|Re: Wicked
screensaveensaver|Re: That movie]
* [.pif|.scr]
* the attached file for details
/var/log/procmail/quarantine/virus_sobig.f
Most of the ones I've seen are over 100kB in size.
Your Subject: filter could use a bit of work,
* ^Subject:.*(re: )*(thank you|(my |your )?(details|app)|your app|Wicked|that
movie)
will catch everything that your rule will catch, plus some. Though I
am not sure I would want to filter on subject at all when I am looking
for a virus.
The subject can and probably will someday be completely random, or if
you start with that assumption, will have to go back and make changes
every time a new strain of the virus is released. I use the same
argument on .pif|.scr when this could also mutate into .zip|.exe|.com
and so on.
Viruses are MIME attachments to emails (at least the ones we can find
with procmail are). The maximum size keeps growing, but there is a
constant for the minimum size. Distinct headers for the virus have
been posted, but I think we can assume that headers will not be
permanent either. What should be permanent however, is the body
signature.
My suggestion for taking this down a notch looks like this
:0
* > 70000
* ^X-MailScanner: Found to be clean
* ^TYg45jEaa7EKGvkUwszJYGUwjTJWkCSxN9IbQBPZPwxmHINeoyVswne23sTxda
/dev/null
The only reason I include the MailScanner line is
1) we know it is in the Sobig.F email headers
1) it is false and misleading
2) it gives the recipe a quicker chance to drop out it it's not there.
Now that we have a recipe figured out for Sobig.F, what can we do about
all the false warnings we are receiving due to the forged sender headers?
And, all the McAffee and Norton notices.
Take a look at www.spambouncer.org. If you ever wanted to learn procmail,
the scripts bundled in spambouncer offer fantastic examples to follow.
Plus, the work for Sobig.F, and it's aftermath from virus companies and
false bounces are already recognized.
Dan Liston
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail