On Fri, Sep 19, 2003 at 07:14:08PM +0200, Dallman Ross wrote:
On Fri, Sep 19, 2003 at 09:35:48AM -0700, Gary Funck wrote:
On Fri, Sep 19, 2003 at 10:31:00AM +0000, Klaus Johannes Rusch wrote:
Has anyone written a solid recipe to catch
W32(_dot_)Swen(_dot_)A(_at_)mm (aka
W32/Gibe-F) yet?
Of course. And the old virus snaggers posted in the archives
from years ago continue to work, as well.
See a public version of what I use, at
http://www.spamless.us/pub/procmail/virussnag
I tried this out, and it doesn't seem to catch the latest M$FT update
hoax. Here's the headers:
It does work. But if you were as "careful" about how you copied
the file as you are about attributing a post you're responding to
(NOT!), I can understand why you might have had a problem.
("Of course. . . ." and "See a public version . . ." are my words,
not Klaus's.)
I will take a stab at what went wrong: you selected the source
in your browser and pasted it into a file. You thereby nixed the
tab character in the source and have, instead, a series of spaces
in your copied file. That won't work.
Date: Fri, 19 Sep 2003 18:13:09 +0200
Message-Id:
<200309191613(_dot_)h8JGD9uK027723(_at_)relay3(_dot_)clb(_dot_)oleane(_dot_)net>
FROM: "MS Security Department" <byeocxryy(_at_)piinbh(_dot_)ms(_dot_)com>
TO: "Commercial Consumer" <vigpa_csizpdu(_at_)piinbh(_dot_)ms(_dot_)com>
SUBJECT: New Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="glbjbkmbjxodmm"
--sxomycnedcibi
Content-Type: multipart/related; boundary="dasfjbuoux";
type="multipart/alternative"
And buried in the body,
--dasfjbuoux--
--sxomycnedcibi
Content-Type: application/x-msdownload; name="pack35.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment
----------------------------
Any ideas on how to tweak the virus scanning recipe to find these
messages, or a suggestion on a recipe that will handle errant exe's
and other executable files?
Copy the file correctly and it will work. In fact, I just padded
the part you sent out to reach my 50k minimum and ran it through
my test harness, and it snagged it fine.
procmail: Assigning "INCLUDERC=/users/dman/.procmail/contrib/virussnag"
procmail: Assigning "SHELL=/bin/sh"
procmail: Assigning "SPACE= "
procmail: Assigning "TAB= "
procmail: Assigning "WS= "
procmail: Assigning "DQ=""
procmail: Assigning "GO=9876543210"
procmail: Assigning "STOP=-9876543210"
procmail: Assigning "MYVIRUS=VIRUS"
procmail: Assigning "VFROM"
procmail: Assigning "MATCH="
procmail: Matched ""MS Security Department"
<byeocxryy(_at_)piinbh(_dot_)ms(_dot_)com>"
procmail: Score: 2147483647 2147483647 "^From:[ ]+\/.*"
procmail: Assigning "VFROM="MS Security Department"
<byeocxryy(_at_)piinbh(_dot_)ms(_dot_)com>"
procmail: Assigning "MATCH="
procmail: Matched "multipart/mixed"
procmail: Match on "^Content-Type:.*\/[^ ][^;]+"
procmail: Assigning "CTYPE=multipart/mixed"
procmail: Assigning
"NASTYEXT=(exe|hta|pif|scr|shs|vb[se]|ws[fh]|(doc|txt|xls)\.)"
procmail: Score: 0 0 "^Content-[^
]+:.*="?[^"]*\.(exe|hta|pif|scr|shs|vb[se]|ws[fh]|(doc|txt|xls)\.)"
procmail: Score: 0 0 ! "^^multipart"
procmail: Score: 2147483647 2147483647 "^Content-[^ ]+:.*($[
].*)*=[ ]*($[
]+)*"?[^"]*\.(exe|hta|pif|scr|shs|vb[se]|ws[fh]|(doc|txt|xls)\.)"
procmail: Locking "VIRUS.lock"
procmail: Assigning "LASTFOLDER=VIRUS"
procmail: Opening "VIRUS"
procmail: Acquiring kernel-lock
procmail: [27517] Fri Sep 19 19:11:17 2003
procmail: Unlocking "VIRUS.lock"
From byeocxryy(_at_)piinbh(_dot_)ms(_dot_)com Fri Sep 19 19:05:22 2003
SUBJECT: New Security Pack
Folder: VIRUS
122413
--
dman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail