-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, October 26, 2002, Scott McNay wrote...
SU>> I have received 18 files within the last 48 hours that are SU>> infected with the I-Worm/klez.k virus. No damage has been done, SU>> but it is a real nuisance. I downloaded the bat this evening and SU>> noticed that the bat is immune to the current versions of the SU>> klez.k worm. > I posted a filter a couple of days ago that seems to be consistently > able to catch klez and bugbear (although it might catch innocent > email as well, so watch out). With this, you wouldn't have to block > a specific IP. Here's a repost: I must have completely missed the original posting on this one. [snip] > Due to a bug in filtering mime headers (apparently can't do it) I wouldn't call it a bug myself, more of a design theory. I have two theories as to why they stop filtering past the standard headers, and the main body. 1. Base64 encoded attachments can be very long even for small files, filtering on through that would chunk a fair bit of resources each time. 2. In Base64 encoded files, you often spot many random words which are often used in filtering of spam. I managed to catch a file attachment (completely legitimate) of a .pdf file in it because I have my server side mail filter set to catch the word finance, it managed to catch it. > this apparently cannot be done in a direct manner. The best that I > could do is this, which seems to catch both BugBear and Klez: > MainSet: 40Content-Type: multipart/alternative Ewww... I get a whole load of emails each day from clients, and friends that all use multipart/alternative headers for including HTML parts. I just did a quick scan of my mail base and found 974 emails containing multipart/alternative headers. Including one from a spam defence thing for Serg over at Ritlabs. I'll have a rough stab in the dark saying 75% of those mails are from Outlook/Outlook Express users. - -- Jonathan Angliss ([EMAIL PROTECTED]) -----BEGIN PGP SIGNATURE----- Comment: Fingerprint: 676A 1701 665B E343 E393 B8D2 2B83 E814 F8FD 1F73 iQA/AwUBPbthCyuD6BT4/R9zEQJMRgCePzKSUTDlA5DOvzXkEeOQa6RkUu0Anjxc fc/pQLRvpx8eOVEsjhavg8xS =q5ho -----END PGP SIGNATURE----- ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html