On Tue, Jan 27, 2004 at 12:41:24PM +0000, Robert Arnold wrote:
Catherine Hampton posted an on-the-fly recipe yesterday to her
sb-viruses.rc @spambouncer.org that seems to work consistently with
the zip files at any rate. Instead of anchoring the signature at the
beginning of the line, she just created a scored recipe which scans
for nine character snippets of the base64 encoded attachment. I've
seen plenty of these that weren't zipped though, where the attachment
was .scr and .exe among others. I wrote another recipe to match those
versions, sticking to her initial model:
:0 BDE
* -1000^0
* 200^0 vXCCMD\+Cn
* 200^0 MiIR8pGma
* 200^0 RwDKnH5oY
* 200^0 TstLxCSBY
* 200^0 XeAuTxvh1
* 200^0 DuhyimZ58
{
VIRUS='YES'
TYPE='Novarg/Mydoom'
}
Hmm. You're saying all need to be there, so I'm not
clear on why you went to scoring. Also, the E flag is
not going to be useful here. I recognize that it's
probably shown here out of context.
Interesting, in any case. Thanks, Robert.
Dallman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail