On Wed, 19 Nov 2003 11:58:05 -0800 "Karsten M. Self" <[EMAIL PROTECTED]> wrote:
> on Wed, Nov 19, 2003 at 06:42:40AM +0800, David Palmer ([EMAIL PROTECTED]) wrote: > > Hello, > > > > Just saw this in Eweek, so I thought that I would forward it to the > > list. > > > > http://www.eweek.com/article2/0,4149,1383915,00.asp > > Since nobody in their right mind whom I don't already know would send me > a MSFT executable, procmail rules... > > "chkmail" comes from the 'spamfilter' package. > > Two methods. Take your pick. > > > By MIME-encoded signature: > > ------------------------------------------------------------------------ > # Win32 executables (viruses and any other attachment) > # Wed Sep 24 21:09:03 BST 2003 > :0 B > * ^Content-Transfer-Encoding:.*base64 > * ^TVqQAAMAAAAEAAAA//8AALg > * 4fug4AtAnNIbg > { > LOG="LOG: [virus: win32 exe] " > > :0 > Virus/ > } > ------------------------------------------------------------------------ > > > > By extension: > > ------------------------------------------------------------------------ > WINDOWS_EXECUTABLE_EXT="(ADE|ADP|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DLL|DO.|EXE|HLP > |HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|OCX|PCD|PIF|POT|PPT|REG| > SCR|SCT|SHB|SHS|SYS|SYS|URL|VB|VBE|VBS|WSC|WSF|WSH|XL.)" > > > :0B > * ^Content-Type: .*; name=.*\.$WINDOWS_EXECUTABLE_EXT['"]* > { > > :0c > | ! chkmail --header "From|Sender" $WHITELIST > > :0a > { > LOG="LOG: (Virus!: MSFT executable" > > # Train spamassassin > :0c > | sa-learn --spam --single > > :0: > Virus/ > > } > ------------------------------------------------------------------------ > > > Peace. > Thankyou. Regards, David. http://www.ctheory.net/text_file.asp?pick=402 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
