I didn't want to submit this as an official patch since there's still some
argument about whether or not SA should be watching for virus/worm mails.
I've been getting enough of these things lately though that I wanted SA
to catch them (why parse the message twice?) and then I can deal with
them based on the test listing in the header.
I use:
full AUDIO_ATTACH eval:check_for_audio_executables()
describe AUDIO_ATTACH Has an audio attachment with an executable extension
score AUDIO_ATTACH 10
And the patch for EvalTests.pm (against 2.20, but should be generic enough
for other versions) is attached. The test looks for an attachment of type
x-wav or x-midi with a filename extention any of: wav, pif, scr, bat, com.
--
Randomly Generated Tagline:
"Honesty is the key to a relationship. If you can fake that, you're in."
- Richard Jeni
--- EvalTests.pm.orig Thu Apr 25 18:45:52 2002
+++ EvalTests.pm Thu Jun 13 17:15:48 2002
@@ -1082,4 +1082,23 @@
sub check_for_missing_headers { return 0; } # obsolete test
+# search for likely MS worms
+sub check_for_audio_executables {
+ my ($self, $fulltext) = @_;
+
+ my $content_type = $self->{msg}->get_header('Content-Type');
+ $content_type = '' unless defined $content_type;
+ $content_type =~ /\bboundary\s*=\s*["']?(.*?)["']?(?:;|$)/i;
+ my $boundary = "\Q$1\E";
+
+ # No message sections to check
+ return 0 unless ( defined $boundary );
+
+ while ( $$fulltext =~ /^--$boundary\n((?:[^\n]+\n)+)/mg ) {
+ return 1 if ( $1 =~
+m@^Content-Type:\s+audio/x-(wav|midi)\b.{0,100}\bname=.{0,100}\.(?:exe|pif|scr|bat|com)\b@msi
+ );
+ }
+
+ 0;
+}
+
1;
