For what it's worth, I append my contribution to the matter below my
signature. I do hope folks will let me know if they see any problems
with it. Thanks to Matt and Bret for the content I took from their
discussion ...
Folks will of course want to adjust the domain-specific portions ...
--
----------------------------------------------------------------------
Sylvain Robitaille [EMAIL PROTECTED]
Systems analyst / Postmaster Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
# 2004/03/03 Sylvain Robitaille: trap Bagle variants. Based on
# discussion in spamassassin-users mailing list; specifically
# contributions by "Yackley, Matt" <[EMAIL PROTECTED]>
# and "Bret Miller" <[EMAIL PROTECTED]>
header __CONCORDIA_BAGLE_FROM From =~
/(?:abuse|management|administration|staff|noreply|support)[EMAIL PROTECTED]/
body __CONCORDIA_BAGLE_GREETING /^(?:dear|hello)\s+user/i
header __CONCORDIA_BAGLE_MSGID Message-ID =~ /[a-z]{11,[EMAIL PROTECTED]/
describe __CONCORDIA_BAGLE_MSGID Message-ID in format used by Bagle variants
rawbody __CONCORDIA_ATTACH /^Content-Type: application/octet-stream;
name=".+\.(pif|zip)"$/
describe __CONCORDIA_ATTACH Message contains suspicious attachment.
# NOTE that this might be worth using in other contexts, but for now I'm
# including only those I've seen with this particular virus.
body __CONCORDIA_BAGLE_REGARDS /^(?:kind regards|sincerely/i
describe __CONCORDIA_BAGLE_REGARDS Bagle variant closing
# This might be useful to catch these in a site-agnostic way:
meta T_CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_GREETING &&
__CONCORDIA_ATTACH && __CONCORDIA_BAGLE_REGARDS)
meta CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_FROM &&
__CONCORDIA_BAGLE_GREETING && __CONCORDIA_BAGLE_MSGID && __CONCORDIA_ATTACH &&
__CONCORDIA_BAGLE_REGARDS)
describe CONCORDIA_BAGLE_VARIANT Message contains a variant of the
"Bagle/Beagle" virus
score CONCORDIA_BAGLE_VARIANT 20.0
