Blason rock skrev den 2013-09-20 12:47:
How do I block spam mails with having below text common in all
headers. I suddely started receiving it and would like to block
X-mailer: phpmailer (version 1.41)
echo "X-mailer: phpmailer (version 1.41)" | sigtool --hex-dump
>hexpart
save a foo.ndb file with
foo:0:*:hexpart
decode it with cat foo.ndb | sigtool --decode-sigs
works well on clamav
if you like to have the signature as a pua then change foo.ndb to
foo.ndu
then it will need --detect-pua=yes in clamscan
if its ndb then it works without, the foo.ndb or foo.ndu must be in
same dir as main.cvd
