John Hardin, author of the Procmail Sanitizer, just posted the following rule
to the Sanitizer mailing list to catch Novarg. What's needed to translate it
into an MD equivalent? (Another rule after this one does the needed
adminstrative tasks based on the X-Content-Security headers.)
#
# Trap NovArg
# Signature as of 01/26/2004
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
{
:0 B hfi
* ^Content-Type: text/plain;$.*charset="Windows-1252"
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
| formail -A "X-Content-Security: [$HOST] NONOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm
- http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]"
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
