Forrest Aldrich <[EMAIL PROTECTED]> writes:
> Has anyone filters for Spamassassin that will correctly identify this
> virus? I'd like to score this one high so they are rejected (via
> spamass-milter)... it's been a huge problem all day.
header _VIRUS_h0_SWEN_A SUBJECT =~ m{(Current|Newest|New|Last|Latest)?
?(Internet|Network|Net|Microsoft)? ?(Security|Critical)? ?(Patch|Upgrade|Pack|Update)}i
header _VIRUS_h2_SWEN_A From =~ m{(Microsoft|MS)? ?(Internet|Corporation)?
?(Technical|Security|Customer|Public)?
?(Assistance|Services|Center|Bulletin|Division|Section)}i
rawbody _VIRUS_b4_SWEN_A m{Undeliver(able|ed) (mail|message)? ?to}i
meta VIRUS_m_SWEN_A ((_VIRUS_h0_SWEN_A && ( MICROSOFT_EXECUTABLE ||
MIME_SUSPECT_NAME ) && _VIRUS_h2_SWEN_A) || (_VIRUS_b4_SWEN_A && (
MICROSOFT_EXECUTABLE || MIME_SUSPECT_NAME )))
describe VIRUS_m_SWEN_A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A
score VIRUS_m_SWEN_A 10.0
At least, that's what I came up with before I gave in and installed
ClamAV, which has successfully capture 8MB of this virus over the past
18 hours. I've got a procmail-compatible ClamAV configuration here:
<http://mah.everybody.org/weblog/archive/80614253>
Note that you may want to replace the
( MICROSOFT_EXECUTABLE || MIME_SUSPECT_NAME )
with something else. Some SMTP gateways strip the actual executable
out, but send the rest of the message on its way. In such a case,
you still get the emails.
Mark.
--
If you want to know who is funding terrorists, look in the vanity
mirror as you turn the key of your SUV.
-- http://philip.greenspun.com/politics/israel/
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
