On Sat, Sep 20, 2003 at 12:51:08AM +0100, Klaus Johannes Rusch wrote:
Other than the uppercase subject field, the character-only boundary
and the lack of a mailer identification I have not found anything
special about this virus that would allow reliable identification.
Well, none of the empty (stripped) ones get to *my* inbox. My
standard spam recipes catch them all. That means the headers *do*
give them away. (It means that because my spam traps only concern
themselves with the headers -- 99% of the time.)
I am not filtering on the case of the word "Subject", either.
Here is what running one (of the three I got that are still around
to look at) through my test harness produces (abridged output):
===> TO is >"Microsoft User" <><
===> CC is not present
===> MSGID is
<auto-000151903396(_at_)remt29(_dot_)cluster1(_dot_)charter(_dot_)net><
===> DH is >Fri, 19 Sep 2003 13:28:21 -0400<
===> FOGGYCLIENT is >[66.215.117.211] (HELO tjjcoua)<
===> CTYPE is >multipart/mixed<
: We're exiting Section HEADERS
: We're entering Section VIRUS
: We're exiting Section VIRUS
: We're entering Section PRECAUTIONS
: We're exiting Section PRECAUTIONS
: We're entering Section WHITELISTS
: We're exiting Section WHITELISTS
: We're entering Section TRUST
>> TRUST has changed from 3 to 1 <<
: We're exiting Section TRUST
: We're entering Section SPAMSNAG
: We're exiting Section SPAMSNAG
: We're entering Section DELIVERY
> Recipe-ID: UBE.TO.ILLEGAL, UBE.VH.BOGEY <
From wlxqsme2u(_at_)charter(_dot_)net Fri Sep 19 19:40:06 2003
SUBJECT: New Critical Pack
Folder: 1265
So mainly the "<>" and absence of any valid address in the To: line
gives it away.
--
dman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail