On Wed, Sep 08, 2004 at 05:20:53PM +0300, Udi Mottelo wrote:
On Mon, 6 Sep 2004, Dallman Ross wrote:
Well, sure, as long as you don't think you're going to miss anything
coming in that's not a virus but says "Important document!"
TRASH = /var/tmp/probably_netsky
:0 B D # case-sensitive to avoid false positives, hence the 'D' flag
* ()\<Important document!
$TRASH
It will be more save to say:
:0 B D
* -3^0
* 2^0 ()\<Important document!
* 2^0 ()\.zm9\>
$TRASH
That means only "Important document!" _AND_ "zm9" files
I've found that Microsoft Netsky worm is about 42kB in size, and uses
the following boundary patterns:
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
boundary="----=_NextPart_000_001B_01C0CA81.7B015D10"
So, here is my recipe:
:0 D
* > 35000
* < 45000
*
boundary="(----=_NextPart_000_0016----=_NextPart_000_0016|----=_NextPart_000_001B_01C0CA8(0.6|1.7)B015D10)"
spam.header
--
William Park <opengeometry(_at_)yahoo(_dot_)ca>
Open Geometry Consulting, Toronto, Canada
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail