On Tue, Sep 23, 2003 at 07:16:47AM -0500, Philip Mak wrote: ... > Unfortunately, sometimes one of these virus e-mails passes through a > virus-stripping SMTP that removes the virused attachment, leaving the > rest of the (junk) message. These messages end up passing through the > ClamAV filter since they don't have viruses anymore!
same here, filtering with amavis and McAffee, but some users complain that thex get lots of those pesky 'stripped' and or 'damaged' truncated Virusmails through the filter. Has somebody saved enough different copies of that stuff or understood enough of the 'virus-mail-structure' to make a 'meta' rule to catch it? I think it may be possible (but cpu-consuming) to use a meta-rule to catch the typical structure: - fake microsoft text in ascii and html - two pictures - one executable MIME-ecoded as (mutt shows): 1 <no description> [multipa/related, 7bit, 12K] 2 |-><no description> [multipa/alternativ, 7bit, 6.4K] 3 | |-><no description> [text/plain, 7bit, us-ascii, 1.2K] 4 | `-><no description> [text/html, 7bit, us-ascii, 5.0K] 5 |-><no description> [image/gif, base64, 4.8K] 6 `-><no description> [image/gif, base64, 0.5K] 7 installation811.exe [applica/x-msdownlo, base64, 0.1K] *========================damaged short=============================^^^^^^^ This is the one I got, in a typically broken Version. (Sometimes the Virus breaks itself :-) Stucki ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
