[Declude.JunkMail] CORRUPTEDVIRUS v1.0.0

[Matt]

I thought I would share this one with the list since it's been a while and the problem that this targets is rather problematic in nature, though not very threatening.  This filter targets messages sent by virus infected computers that are missing the attachment but define the file.  This results in a zero-byte attachment and it will always get past Declude Virus, even if it has one of the commonly banned extensions associated with viruses (unless this has been addressed in a more recent interim that I'm not aware of ). This filter uses the Size.vbs external test (which is also shared in the beta section of the site) to determine if the message is of a certain size.  In the filter that I have provided, it is looking for a entry that matches "SIZE-XS" which on my system is set to 2K or smaller.  If if finds such a message, it then checks to see if there are indications of an attachment and if so, is there an indication of BASE64 being properly encoded (always ends with two equal signs then a double line break), and if not, then it checks for an indication of one of 9 file extensions and scores them.  The logic here is that a message containing an attachment of one of these types really shouldn't be smaller than 2K, and even if they were they should be properly encoded, but a corrupted virus that sends a zero-byte attachment should fail.  Messages with very small attachments should not trip this test, however it has only been designed to work properly with BASE64 attachments which are the obvious mechanism for almost every mass mailing virus out there because of broad support. I haven't documented the file, so here's the configuration that I use for Size.vbs on my system as it corresponds to the test: SIZE-XXS        external    11    "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28"    2    0 SIZE-XS            external    12    "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28"    0    0 SIZE-S            external    13    "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28"    0    0 SIZE-M            external    14    "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28"    0    0 SIZE-L            external    15    "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28"    0    0 SIZE-XL            external    16    "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28"   0    0 SIZE-XXL        external    17    "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28"   0    0 And then the configuration for CORRUPTEDVIRUS: CORRUPTEDVIRUS        filter        C:\IMail\Declude\Filters\CorruptedVirus.txt        x    0    0    The actual filter and external Size.vbs test can be downloaded from the beta section of my site.  These filters require the latest interim release for proper operation (1.79i8+), and the Pro version of Declude JunkMail for both to operate.  Do not install these on your system if you don't understand how they work and if you don't have the version of Declude that I indicated, it is possible that with incompatible versions you will block legitimate E-mail.  This filter is also brand new and mostly untested, so if you come across any issues, please share them with me and the list.  You can search the archives for a discussion of Size.vbs.  Note that v1.0.1 of Size.vbs is available which fixes a bug where it wouldn't always run.     http://www.mailpure.com/software/decludefilters/beta/ Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================