In postfix I use the body.regexp for the body checks.
file: /etc/postfix/main.cf
body_checks = regexp:/etc/postfix/body_checks.regexp
Contents (only three in there at this time)
/^RSLxwtYBDB6FCv8ybBcS0zp9VU5of3K4BXuwyehTM0RI9IrSjVuwP94xfn0wgOjouKWzGXHVk3qg$/
DISCARD Keep your viruses (sobig.f)
/^AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v$/
DISCARD Keep your viruses (swern)
/^zIGArlZWu25ux319xWpqnnNzppaWy46OvKKizZqavLa2176+283N5sfH34uLmpKSoNvb7c7O3L29$/
DISCARD keep your viruses (swern)
not sure what system you use but this has stopped many of them in their tracks. When
I want to test the virus scanner I just disable the checks and then they start flowig
through again... :) That way I know the system is working. The in re-enable it to
just drop this trash...
BTW, if people have more virus definitions (regexp extracts) that they have something
similar to please feel free to share them.
Gary Smith.
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Gary Funck
Sent: Fri 1/9/2004 8:27 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [SAtalk] how to filter the MS Update virus?
Not with SA, but in proccmail, I use a canned recipe fetched off the net:
In .procmailrc:
#
# eliminate virus mail.
#
MYVIRUS=virus-trap
INCLUDERC=/etc/mail/procmail/virussnag.rc
In virussnag.rc is located here:
http://www.spamless.us/pub/procmail/virussnag.rc
Leading comments:
######################### Virus Snaggers, ver. 1.31
##########################
##################### by Dallman Ross <[EMAIL PROTECTED]>
#####################
#################### Copyright (c) 9/2003, by the author
#####################
########## MAY BE USED WITH ATTRIBUTION & INTACT COPYRIGHT NOTICE;
###########
##################### PLEASE COMMENT ANY CHANGES AS YOURS
####################
###################### NO WARRANTIES, EXPRESS OR IMPLIED
#####################
####################### Tech Support Available for Fee
#######################
# Virus Snaggers is intended to be run under procmail -- www.procmail.org
# Place this file in its entirety somewhere reasonable. Then run it from
# your .procmailrc with a line like this (remove the leading comment char):
#
# INCLUDERC = /somewhere/reasonable/virussnag.rc
# Caught mail is saved by default to a file called "VIRUS". You can run
# as-is or pre-set $MYVIRUS to something other than the default. Or set
# it to /dev/null if you're feeling macho. E.g.,
#
# MYVIRUS = /dev/null # optional line in your .procmailrc to change
default
# INCLUDERC = /somewhere/reasonable/virussnag.rc
#
# Other options include saving only virus headers (see "$h" variable);
# or declining filewrites from inside this file (see "$NONDEL") while
# nonetheless allowing viruses to be flagged ("$VIR_A", "$VIR_B") for
# custom handling later. See Variables Section for details.
> From: Kang, Joseph S.
> Sent: Friday, January 09, 2004 6:56 AM
>
> > We're being hit by MS security update emails. I know they're
> > not spam,
> > but rather more accurately described as virii or worms.
> >
> > However, I'm wondering if anyone has a good rule that will mark these?
>
> That's a good question. I got a few of those yesterday (day
> before?), too.
> I was freaking out trying to figure out how they got through until I
> remembered that they were over the 256K size limit for e-mails
> and bypassed
> SA. :)
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
N�¬HYÞéX¬²š'²ŠÞu¼z·èÇ¡ûpj·z·èDzØ^�«-J‡íÁÞ
‰ß�«jØœÆj�¦z{RÊË^š‡ßz¸§§ojw�uºÚÈbž��¥¦â–+bzÆu«hš'�…©àzÊ'çO©•«_¢¹¬�·ž�ö¥†Ûiÿü0«~ŠÜyÊ&þ—«~ŠÜ{ùhiÚk¢�mšT©jf¬±«,Š{Z–IšŠX§‚X¬µ*Z™«,jË"žÖ’X¬¶Ë(º·�~Šàzw†Ûi³ÿåŠËl²‹«qçè®�§zßåŠËlþX¬¶)ßû)jf¬±«,Š{Z–
