Tomasz Papszun wrote:
On Tue, 20 Jul 2004 at 14:31:03 -0400, henry j. mason wrote:---snip---has anyone else encountered this? i can easily see a poorly written virus sending out botched copies of itself.That's right. We got many samples of messages generated by Worm.Bagle.AF.2 containing empty (0 B) zip files.so, i'm correct in assuming that clamav is behaving correctly in passing these messages, right? i can't think of any reasonable way to stop them, as they seem to follow the Bagle pattern of using many different patterns for the message and attachment filenames.
Most Bagle variants seem to use a Message ID that looks like: Message-ID: <[exactly 19 lower case [EMAIL PROTECTED] domain name]>
Grepping through a small (100M or so) message store didn't find any matches in good mail, so this is at least an unusual Message-ID header.
So I use a postfix header_check to reject these. This seems to have zero false positive rate for me, YMMV.
If you don't use postfix, perhaps your MTA has some similar simple content inspection feature, or you could write a simple SpamAssassin rule to mark all these as spam.
# postfix header_checks.pcre
/^Message-ID: <[a-z]{19}@/i REJECT Bagle virus Message ID--
Noel Jones
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
