On Fri, Feb 20, 2004 at 08:02:51AM -0800, Gary Funck wrote:
Generally, Dallman's script catches these, except for the .zip
variants (I'm not a fan of blocking .zip files), but this should catch
most of 'em:
### Netsky virus
:0 B
* ! VIRUS_FOUND ?? ^^TRUE^^
That won't work, assuming you are using $TRUE as I do with
it being a var and not a constant. You would need
* $ ! VIRUS_FOUND ?? ^^$TRUE^^
* > 20000
* < 60000
* H ?? ^Subject:[ ]*(hi|hello|read it immediately|\
something for you|warning|information|stolen|fake|unknown)$
* ^(anything ok\?|what does it mean?|ok|\
i'm waiting|read the details\.|here is the document\.|\
read it immediately\!|my hero|\
here|is that true?|is that your name?|is that your account?|\
i wait for a reply\!|is that from you?|you are a bad writer|\
I have your password\!|something about you\!|\
kill the writer of this document\!|i hope it is not true\!|\
your name is wrong|i found this document about you|\
yes, really\?|that is bad|here it is|see you|\
greetings|stuff about you\?|something is going wrong!|\
information about you|about me|from the chatter|\
here, the serials|here, the introduction|here, the cheats|\
that's funny|do you\?|reply|take it easy|why\?|\
thats wrong|misc|you earn money|you feel the same|\
you try to steal|you are bad|something is going wrong|\
something is fool)$
*
nt-Disposition:[ ]*attachment;)?[ ]*(file)?name="?(document|msg
|doc|talk|message|creditcard|\
details|attachment|me|stuff|posting|textfile|concert|\
information|note|bill|swimmingpool|product|\
topseller|ps|shower|aboutyou|nomoney| found|\
story|mails|website|friend|jokes|location|\
final|release|dinner|ranking|object|mail2|part2|\
disco|party|misc)\..*(zip|exe|scr|com|pif)"?$
{ VIRUS_FOUND = TRUE }
Oh, I see, you're not setting a variable but a fixed string. Okay,
well, that would work above, but you seem to be using this for a
makeshift X-Loop:, only it's only good inside this rc-file while it's
running. I don't frankly see the point.
You're right that it's a gawdawful mess -- which also makes
it hard to maintain. In any event, the current version of
Virus Snaggers has no problem stopping the MyDoom work in
ZIP files, without the need to blook ZIPs to do so.
--
dman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail