Can I just tack this on at the end of my user_prefs file?
On Sat, 20 Sep 2003, Mark A. Hershberger wrote:
> Forrest Aldrich <[EMAIL PROTECTED]> writes:
>
> > Has anyone filters for Spamassassin that will correctly identify this
> > virus? I'd like to score this one high so they are rejected (via
> > spamass-milter)... it's been a huge problem all day.
>
> header _VIRUS_h0_SWEN_A SUBJECT =~ m{(Current|Newest|New|Last|Latest)?
> ?(Internet|Network|Net|Microsoft)? ?(Security|Critical)?
> ?(Patch|Upgrade|Pack|Update)}i
> header _VIRUS_h2_SWEN_A From =~ m{(Microsoft|MS)? ?(Internet|Corporation)?
> ?(Technical|Security|Customer|Public)?
> ?(Assistance|Services|Center|Bulletin|Division|Section)}i
> rawbody _VIRUS_b4_SWEN_A m{Undeliver(able|ed) (mail|message)? ?to}i
> meta VIRUS_m_SWEN_A ((_VIRUS_h0_SWEN_A && ( MICROSOFT_EXECUTABLE ||
> MIME_SUSPECT_NAME ) && _VIRUS_h2_SWEN_A) || (_VIRUS_b4_SWEN_A && (
> MICROSOFT_EXECUTABLE || MIME_SUSPECT_NAME )))
> describe VIRUS_m_SWEN_A
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A
> score VIRUS_m_SWEN_A 10.0
>
> At least, that's what I came up with before I gave in and installed
> ClamAV, which has successfully capture 8MB of this virus over the past
> 18 hours. I've got a procmail-compatible ClamAV configuration here:
> <http://mah.everybody.org/weblog/archive/80614253>
>
> Note that you may want to replace the
>
> ( MICROSOFT_EXECUTABLE || MIME_SUSPECT_NAME )
>
> with something else. Some SMTP gateways strip the actual executable
> out, but send the rest of the message on its way. In such a case,
> you still get the emails.
>
> Mark.
>
>
--
Jack Gostl [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
