On Fri, 17 May 2002, Michael C. Berch wrote: > [ How annoying klez is for non-MS users] > > Has anyone written a local rule for this? I have just now started > looking at the messages closely, and the key part seems to be an > attachment of type audio/x-wav, with a filename of *.(?:pif|scr|exe|bat). > I can't imagine anyone sending a legitimate attachment with those > criteria, so it should have a fairly high score, if not an automatic > trap.
I don't remember what the email size limit is for SA, but I'm pretty sure Klez exceeds it most of the time. > The other one I just get over and over and finally wrote a rule for is > something with "Snowhite" and the 7 dwarves, and an attachment that is > usually an .exe file. I'm just scoring anything with /snowhite/i and > an attachment as probable spam. If you're even remotely familiar with procmail, there are some good recipes that match a number of viruses quite well. Here's what I've got in the system wide procmailrc for the system I manage. In nearly two weeks, I haven't gotten a false positive from either sig, and caught more than I can count. For a while, I was filtering, but allowing normal delivery until I knew the rules were effective, but not overbroad. I think I may have a sig for Snow white laying around, I just don't see it much myself. -------------------------------------------------------------------- VIRUSTRAP=/export/home/broot/mail/virustrap # This should catch any Klez # As of 2002-05-06 21:03, Klez goes to broot, and does NOT get delivered # Add the 'c' flag to allow normal delivery :0 B * ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE$ $VIRUSTRAP # Test for the SirCam signature :0 B * daeLRCQEM9KJEIN8JAwAdBmLRCQEi1QkCIkQi0QkDCtEJAiLVCQEiUIEg8QUXV9eW8NTVldV $VIRUSTRAP --------------------------------------------------------------------- -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | =----------------------------------+------------------------------- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew _______________________________________________________________ Hundreds of nodes, one monster rendering program. Now that’s a super model! Visit http://clustering.foundries.sf.net/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
