I think everybody has their own favorite way of detecting Virii/Worms
in e-mail attachments. Mine is at:
http://www.johncon.com/john/receivedIP/howto-virus.txt
but it does involve searching the body.
John
Daniel Liston writes:
I've had success using this recipe:
:0HBw
* > 70000
* < 120000
* ^Subject: [Re: Re: Thank you!|Re: Thank you!|Thank you!|Your details|Re:
Details|Re: Re: My details|Re: Approved|Re: Your application|Re: Wicked
screensaveensaver|Re: That movie]
* [.pif|.scr]
* the attached file for details
/var/log/procmail/quarantine/virus_sobig.f
Most of the ones I've seen are over 100kB in size.
Your Subject: filter could use a bit of work,
* ^Subject:.*(re: )*(thank you|(my |your )?(details|app)|your app|Wicked|that
movie)
will catch everything that your rule will catch, plus some. Though I
am not sure I would want to filter on subject at all when I am looking
for a virus.
The subject can and probably will someday be completely random, or if
you start with that assumption, will have to go back and make changes
every time a new strain of the virus is released. I use the same
argument on .pif|.scr when this could also mutate into .zip|.exe|.com
and so on.
Viruses are MIME attachments to emails (at least the ones we can find
with procmail are). The maximum size keeps growing, but there is a
constant for the minimum size. Distinct headers for the virus have
been posted, but I think we can assume that headers will not be
permanent either. What should be permanent however, is the body
signature.
--
John Conover, conover(_at_)rahul(_dot_)net, http://www.rahul.net/~conover
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail