GD> I'm trying to block all the annoying SoBig viruses - so I have the GD> following:
GD> body SO_BIG_VIRUS /Please see the attached zip file for details\./ GD> score SO_BIG_VIRUS 6.0 GD> header SO_BIG_ATTACHMENT ALL =~ /your_details\.zip/ GD> score SO_BIG_ATTACHMENT 3.0
The title is actually in the body, not the header. (Possibly you need the "rawbody" directive. I'm not sure) For SA, your first recipe is enough to score any email for Sobig.E.
You should know that Sobig.E. is programmed to stop working on July 14th, and that the reason the file name is so consistent is that there is a bug in the program. So anything you write now won't be needed in a week.
You're forgetting of course, all the computers out there in Internet Land that have their clocks set wrong ;-)
Or the fact that some (other) viruses set your clock back or ahead...or the fact that date checking routines on some viruses are very unreliable.
Remember what happened with (I think it was) Cod red which was supposed to stop infecting on a certain date of the month, but because there was a high enough percentage of PC's with their date set wrong, they kept the infection going until the month rolled over and it kicked off again :)
This doesn't mean you won't have to worry about it. Whoever wrote Sobig.E. had a reason for the termination date, very likely because a newer version will be launched on July 15th. But of course the rule you write now won't work then, because at the very least the next version will have a change in text and file name.
I think it is a mistake to try to identify viruses with Spamassassin,
Agreed.
both because it is inefficient and because viruses often have very large binary attachments which can cause SA to crash with an out of memory error, and let the
Huh ? Never had that happen to me. I use the default max scanning size of 256KB with spamc/spamd and I've never had a problem...
Regards, Simon
------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
