On Fri, 19 Sep 2003 10:14:56 -0500,
Kirk Strauser <[EMAIL PROTECTED]> wrote in message
<[EMAIL PROTECTED]>:
> At 2003-09-19T03:33:53Z, Kirk Strauser <[EMAIL PROTECTED]> writes:
>
> OK, last iteration (I promise). Enough people have found this
> helpful, or at least amusing, that I'm posting my final script update.
>
> I'm using the "MICROSOFT_EXECUTABLE" block in SpamAssassin in junction
> with this script. Overnight hit rates look like:
>
> My script : about 4,000 emails
> SpamAssasin: another few hundred that snuck through
> My inbox : about 15-20
>
> <alan>
> IF YOU DON'T USE MY SCRIPT, THEN YOU MUST BE A WORM AUTHOR.
> </alan>
>
> ############################################################
>
> #### Virus detection
> # 2003-09-18: Something stupid and Microsofty
> if anyof(
> # This one is super-annoying; it mimics real bounce messages
> allof(
> # Sender
> anyof(
> # Check that the sender matches a pattern...
> allof(
> header :contains "From" [
> "email",
> "inet",
> "internet",
> "mail",
> "microsoft",
> "ms",
> "net",
> "network"
> ],
> header :contains "From" [
> "service",
> "section",
> "system"
> ]
> ),
> # ...or is one of several words
> header :is "From" [
> "administrator",
> "admin" ]
> ),
>
> # Subject
> anyof(
> # Short phrases
> header :is "Subject" [
> "advice",
> "announcement",
> "failure report",
> "letter",
> "mail",
> "notice",
> "report" ],
>
> # Weird errors
> allof(
> header :matches "Subject" [
> "abort *",
> "bug *",
> "error *" ],
> header :matches "Subject" [
> "* advice",
> "* announcement",
> "* letter",
> "* message",
> "* notice" ]
> ),
>
> # Faked bounce messages
> header :matches "Subject" [
> "mail: *",
> "message*",
> "returned mail*",
> "returned message*",
> "undeliverable message*",
> "undelivered message*" ],
>
> # No subject
> not exists "Subject"
> )
> ),
>
> # "Current Security Pack", "New Security Update", etc.
> allof(
> header :matches "Subject" [
> "critical *",
> "current *",
> "internet *",
> "last *",
> "latest *",
> "microsoft *",
> "net *",
> "network *",
> "new *",
> "newest *",
> "security *"
> ],
> header :matches "Subject" [
> "* upgrade",
> "* update",
> "* pack",
> "* patch"
> ]
> )
> )
> {
> fileinto "INBOX.virus.2003-09-18";
> }
>
> ############################################################
>
..hmmm, cool. And in .procmailrc'ese it is?
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
