> Further testing seems to indicate that the rules will not work if
> the filtered string occurs past a point about 25K - 30K into a
> message (as was the case with this worm-laden Digest).
Unfortunately, I can't comment on this, as I have done very little with filtering.
I'm guessing you didn't get my last response, since it probably got filtered out on
your end -- one of the drawbacks of filters! I'll try to work around your filter.
> while the second rule filters Uuencoded attachments, characterized
> by the string Begi*n 6nn (generally all sixes)
FYI, I have just scanned a "Lost mail box" that we have (E-mail that comes in to one
of our domains that is misaddressed), and out of 18 uuencoded attachments, the
breakdown was as follows:
be gin 600 - 12
be gin 666 - 4
be gin 640 - 2
So, if all those attachments had been "bad" (ones that you were filtering), you only
would have caught about 20% of them. If you use "be gin 6" (minus the extra space),
you would catch all of them (although it's possible that some may be sent with a
different number in the first position).
Of course, 20 uuencoded attachments isn't enough to come to good conclusions. But, it
at least shows that checking the 666 isn't as reliable as it could be.
--
-Scott
Declude: Anti-virus and Anti-spam solutions for IMail. http://www.declude.com
--
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
