Hi!
aCaB wrote:
Nicolas Riendeau wrote:
It is part of the message (which could be in text/plain or text/html)...
[there is a risk that QP or base64 could make it not work I guess (does
Clamav takes care of this?) but the test file I'm using doesn't use
either...]
Yup, Clamav will decode that.
At least for attachements it does...
To be sure my signature would match I made an extended signature with a
"TargetType" of "0" (which seems to include the others) and an offset
set to "*" *any)
[eg Joke.local.EricssonHoax:0:*:(61|41)(6e|4e)(6e|4e)(61|41)... ]
This thingy's not going to work, sorry.
It doesn't work but the thing I don't understand is why... According to the docs that
syntax is supposedly acceptable and some stock signatures even seem to be built in a
similar way...
If it's HTML just use a proper TargetType and rely on the ClamAV html
normalizer which will turn all the text into lower case.
If not, bad luck. :(
I'm trying to block hoaxes sent by email which could be in plain text or in html so I
can't rely on the HTML normalizer.
Thanks!
Nick
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
