[Qmail-scanner-general]bogus antivirus spam

[jweb]

This looks quite useful.  I have seen several of these "AV spam" 
messages.  The worst ones actually contain the MIME encoded text of the 
virus.  They don't decode on the server because they are considered as 
text.  (The MIME boundary is not the same as the email MIME 
boundary.)  Unfortunately, our virus scanning software on the Win boxes 
decodes the MIME encoded text with the invalid boundary and tags it as a 
virus and promply quarantines the entire inbox, even though no harm can 
come from text!!

One comment.  The line:
.*Invalid content in mail message (message 
rejected).*  Virus-Subject:  bogus antivirus
should be
.*Invalid content in mail message \(message 
rejected\).*        Virus-Subject:  bogus antivirus
And actually, I would say:
.*Invalid content in mail message \(.*\).*      Virus-Subject:  bogus antivirus

The first line will not block that subject line, but the second and third 
one will...  There are probably others like this, like:
.*Non delivery report: 5.9.5 (Blocked 
attachment).*     Virus-Subject:  bogus antivirus
Also it seems some of the ones with exclamation marks are escaped but 
others aren't...

Thanks for the extensive list.
Message: 1
Date: Fri, 27 Aug 2004 14:16:44 +0300
From: Anton Alin-Adrian <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [Qmail-scanner-general]bogus antivirus spam
This is a multi-part message in MIME format.
--------------030209020708030609080902
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hello list,
        I just subscribed to submit something which I consider to be usefull.
        Based on the link at:
http://std.dkuug.dk/keld/virus/header_checks
        I created a quarantine-attachments.txt file, attached to this 
message,
which implements the respective filters for bogus antivirus spam.

        We all know what AV spam is, a good article which many have 
already read
is at:
http://www.attrition.org/security/rant/av-spammers.html

        The file has been tested, but please consider it Beta quality and 
if you
find it usefull please improve it and let me know of any bugs/modifications.

        A world without spam is better.
<<<Cut Message>>>

End of Qmail-scanner-general Digest



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general