SO - not sure if this is OT or what, but if you use procmail as the delivery agent on your system, this rule below will catch the ZIPs under 250k in size and having 'password:' somewhere in the body.
Not perfect, not guaranteed - but its been working for us. If I knew how large or how small these attachments were, we could obviously adjust the size. And I am sure it can be tweaked - like do these viruses only have the attachment name in the headers and not the body? Would make the rule less prone to hit regular Zips.
Places them all in a file in your mail spool folder called: antivirus-bagle.I so you can hunt down any false positives until the Virus Scanner folks can figure out how to handle this one. Good luck guys!
Keep up the good work ClamAV, just another one to beat down. Too bad the MailScanner folks could not adjust for size on file name type rules...
Jerome
################ TEMP RULE FOR BAGLE-I
:0 BH
* ^(Content.*(file)?name=.+\.(zip).*$|\
Content-Type:(.*$)+.*(file)?name=.+\.(zip).*$|\
.*\/^.*name=.*\.(zip))
{
:0
* < 250000
{
:0 B
* .*\/(password:)
{
LOG="SPAMLOG Antivirus BAGLE-I $MATCH "
:0
antivirus-bagle.I
}
}
}ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
