procmail
[Top] [All Lists]

Re: Ruleset for W32(_dot_)Swen(_dot_)A(_at_)mm?

2003-09-19 17:14:33
In 
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0309191010120(_dot_)6169-100000(_at_)aztec(_dot_)zanshin(_dot_)com>,
 Bart Schaefer <schaefer(_at_)zanshin(_dot_)com> writes:

Not as generalized as dman's, but this appears to be catching it for us:

:0
* microsoft
* B ?? ^kJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMzIN

This does not seem to catch all variants.

dman's virussnag does a great job in filtering potentially 
dangerous attachments, at the cost of blocking any such
attachments including perfectly acceptable files like
virussnag.txt.gz :-)

The other problem is that increasingly ISPs seem to scan outgoing
messages and filter know virus attachments but delive the cleaned
message, which obvisouly does not trigger the filter rules any more,
and which is why I was originally looking for specific rules to
identify virus mails from headers, which was doable for Sobig.F
but seems to be a lot harder with this one.

Other than the uppercase subject field, the character-only boundary and the 
lack of a mailer identification I have not found anything special about this
virus that would allow reliable identification.

-- 
Klaus Johannes Rusch
KlausRusch(_at_)atmedia(_dot_)net
http://www.atmedia.net/KlausRusch/

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail