On Sun, Nov 07, 2004 at 10:04:58AM +0100, Francesco Potorti` wrote: > >ewww! $name="foo.com"; > > > >congrats, you just FPed. :) > > No, I didn't :-) > > You missed the meta rule: > meta ms_executable (__h_exename_q && !__b_exename_q)
Ok, that one didn't FP, fine. :P
I just don't like full/rawbody rules attempting to look at MIME headers when
it's trivial to just use a plugin to do it. 0 chance of FP that way.
> Thanks for the tip. I looked at the plugin, however, and it does
> include only a small subset of MS directly executable extensions. Most
> notably, the .cpl and .vbe that recently mass-hit me are missing. I used
> a comprehensive list, as far as I know, that could be easily imported in
> the module you cite.
It was a generic test to replace MICROSOFT_EXECUTABLE, which only looked for
the base64 encoded string. I should probably make the list a bit fuller:
ade|adp|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|url|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh
This is what came out of several discussions I was reading back the last time
some MS worm went about. <time passes> Ok, that list is in the plugin now. :)
> By the way, do I use the "loadplugin" command to load a module, right?
Yeah, if you put it in /etc/mail/spamassassin,
"loadplugin /etc/mail/spamassassin/MSExec.pm" ought to work. :)
--
Randomly Generated Tagline:
If you remove stricture from a large Perl program currently, you're just
installing delayed bugs, whereas with this feature, you're installing an
instant bug that's easily fixed. Whoopee.
-- Larry Wall in <[EMAIL PROTECTED]>
pgppx9AqNC6L2.pgp
Description: PGP signature
