At 5/4/2000 11:29 PM -0600, Bruce Guenter wrote or quoted:
> > Anyone can rename that .vbs to what ever they want and send it around again
> > so wouldn't it be more efficient to filter all .vbs attachments?
>
>Nope, you're exactly right. However, the question was, how do I filter
>the "ILOVEYOU" worm, and the above is a quick (and somewhat dirty)
>answer. If you know how to identify VBS source, with the absence of a
>MIME type, please tell us. I intend to do this for my employers, so I'm
>not just being facetious.
I really think this is the way to go as well. I've been telling my employer
since yesterday morning that the Subject: line is probably the single most
easily mutatable thing about this email, and that it would make much more
sense to just stop any mail containing a .vbs attachment.
I looked at the copy on my disk, and found the following at the beginning:
Content-Type: application/octet-stream; name="LOVE-LETTER-FOR-YOU.TXT.vbs"
Content-Disposition: attachment; filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
Content-Transfer-Encoding: base64
You could probably just do a regex match on:
^Content-type: \S+\; name=\".+\.vbs\"
(Note: I have not tested that regex yet. It may not even function. It is
quick-and-dirty, and even if it *does* work, there are probably better ways
to do it.)
In particular, there's probably a better way to express that .+\.vbs,
although I note that \w+\.vbs and \S+\.vbs are *not* the way to do it, as
filenames may contain spaces and other characters.
-----------------------------------------------------------------
Kai MacTane
System Administrator
Online Partners.com, Inc.
-----------------------------------------------------------------
From the Jargon File: (v4.0.0, 25 Jul 1996)
finger trouble /n./
Mistyping, typos, or generalized keyboard incompetence (this is
surprisingly common among hackers, given the amount of time they
spend at keyboards). "I keep putting colons at the end of statements
instead of semicolons", "Finger trouble again, eh?".
