On Fri, Jan 06, 2006 at 12:37:02PM -0500, Chuck Swiger wrote:
> Anyway, amavisd-new lists a dozen or so examples:
>
> # Treat envelope sender address as unreliable and don't send sender
> # notification / bounces if name(s) of detected virus(es) match the list.
> # Note that virus names are supplied by external virus scanner(s) and are
> # not standardized, so virus names may need to be adjusted.
> # See README.lookups for syntax.
> #
> $viruses_that_fake_sender_re = new_RE(
> qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
> qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i,
> );
This list is pretty much incomplete (at least sober, somefool and mydoom
are missing, to name a few). And having this makes you follow the latest
virus definitions scanning for possible new virus strands that fake their
sender.
I believe it's way easier to do the opposite: list only viruses that do
NOT fake the sender. The only ones you'd expect to find in email are
things like eicar, joke and macro viruses.
This is probably a better regex:
$viruses_that_dont_fake_sender_re =
qr{ ^( Joke
| Eicar
| OF97
| WM(97)?
| W(97)?M
| (Word)?Macro
)(\b|_)
}xi;
Anyone got any comment or suggestions about this list? (You can of course
include all oldfashioned .com and .exe infectors, and it would be wise to
do so for any still "in the wild", but I don't know if there are any.)
Unfortunately the information available from various virus scanners never
includes a field "virus has its own SMTP engine and fakes sender addresses",
or this would be a lot easier.
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
