On Fri, Sep 19, 2003 at 10:31:00AM +0000, Klaus Johannes Rusch wrote:
Has anyone written a solid recipe to catch W32(_dot_)Swen(_dot_)A(_at_)mm
(aka
W32/Gibe-F) yet?
Of course. And the old virus snaggers posted in the archives
from years ago continue to work, as well.
See a public version of what I use, at
http://www.spamless.us/pub/procmail/virussnag
I tried this out, and it doesn't seem to catch the latest M$FT update hoax.
Here's the headers:
Date: Fri, 19 Sep 2003 18:13:09 +0200
Message-Id:
<200309191613(_dot_)h8JGD9uK027723(_at_)relay3(_dot_)clb(_dot_)oleane(_dot_)net>
FROM: "MS Security Department" <byeocxryy(_at_)piinbh(_dot_)ms(_dot_)com>
TO: "Commercial Consumer" <vigpa_csizpdu(_at_)piinbh(_dot_)ms(_dot_)com>
SUBJECT: New Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="glbjbkmbjxodmm"
--sxomycnedcibi
Content-Type: multipart/related; boundary="dasfjbuoux";
type="multipart/alternative"
And buried in the body,
--dasfjbuoux--
--sxomycnedcibi
Content-Type: application/x-msdownload; name="pack35.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment
----------------------------
Any ideas on how to tweak the virus scanning recipe to find these messages, or
a suggestion on a recipe that will handle errant exe's and other executable
files?
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail