________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Richard Beyer
Sent: Tuesday, January 27, 2004 4:41 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] [EMAIL PROTECTED] virus
We're seeing a lot of activity from the [EMAIL PROTECTED] virus
(http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
.html)
Could someone help me cobble together a rule quickly to
counteract the attachments it's using. Something to catch test.zip,
readme.zip and body.zip (the most common ones it appears to be using at
the moment).
Cheers,
Richard
Hi Richard,
This rule seems to be working fairly well for me, it doesn't grab all of
them, but does seem to get a rather large portion of them....
header _YM_HS_NOVARG Subject =~ /^(?:hello|test|hi|status|error|server
report|mail delivery system|mail transaction failed)$/i
body _YM_B_NOVARG /(?:and has been sent as a binary
attachment|partial message is available)/i
meta YM_M_NOVARG (_YM_HS_NOVARG &&_YM_B_NOVARG)
describe YM_M_NOVARG Message contains virus
score YM_M_NOVARG 10.0
Watch for line wraps!
HTH,
matt
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
