GD> I'm trying to block all the annoying SoBig viruses - so I have the
GD> following:

GD> body SO_BIG_VIRUS /Please see the attached zip file for details\./
GD> score SO_BIG_VIRUS 6.0
GD> header SO_BIG_ATTACHMENT ALL =~ /your_details\.zip/
GD> score SO_BIG_ATTACHMENT 3.0

The title is actually in the body, not the header. (Possibly
you need the "rawbody" directive. I'm not sure) For SA, your
first recipe is enough to score any email for Sobig.E.

You should know that Sobig.E. is programmed to stop working
on July 14th, and that the reason the file name is so
consistent is that there is a bug in the program. So
anything you write now won't be needed in a week. This
doesn't mean you won't have to worry about it. Whoever wrote
Sobig.E. had a reason for the termination date, very likely
because a newer version will be launched on July 15th. But
of course the rule you write now won't work then, because at
the very least the next version will have a change in text
and file name.

I think it is a mistake to try to identify viruses with
Spamassassin, both because it is inefficient and because
viruses often have very large binary attachments which can
cause SA to crash with an out of memory error, and let the
attachment through in any case. For example, Sobig.E. is
about 115k. It's much better to pre-filter for potential
viruses & attachments before the email gets to SA, either
with procmail or another filtering program.

-Abigail



-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to