-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday, October 26, 2002, Scott McNay wrote...
SU>> I have received 18 files within the last 48 hours that are
SU>> infected with the I-Worm/klez.k virus. No damage has been done,
SU>> but it is a real nuisance. I downloaded the bat this evening and
SU>> noticed that the bat is immune to the current versions of the
SU>> klez.k worm.
> I posted a filter a couple of days ago that seems to be consistently
> able to catch klez and bugbear (although it might catch innocent
> email as well, so watch out). With this, you wouldn't have to block
> a specific IP. Here's a repost:
I must have completely missed the original posting on this one.
[snip]
> Due to a bug in filtering mime headers (apparently can't do it)
I wouldn't call it a bug myself, more of a design theory. I have two
theories as to why they stop filtering past the standard headers, and
the main body.
1. Base64 encoded attachments can be very long even for small files,
filtering on through that would chunk a fair bit of resources each
time.
2. In Base64 encoded files, you often spot many random words which
are often used in filtering of spam. I managed to catch a file
attachment (completely legitimate) of a .pdf file in it because I
have my server side mail filter set to catch the word finance, it
managed to catch it.
> this apparently cannot be done in a direct manner. The best that I
> could do is this, which seems to catch both BugBear and Klez:
> MainSet: 40Content-Type: multipart/alternative
Ewww... I get a whole load of emails each day from clients, and
friends that all use multipart/alternative headers for including HTML
parts. I just did a quick scan of my mail base and found 974 emails
containing multipart/alternative headers. Including one from a spam
defence thing for Serg over at Ritlabs. I'll have a rough stab in the
dark saying 75% of those mails are from Outlook/Outlook Express users.
- --
Jonathan Angliss
([EMAIL PROTECTED])
-----BEGIN PGP SIGNATURE-----
Comment: Fingerprint: 676A 1701 665B E343 E393 B8D2 2B83 E814 F8FD 1F73
iQA/AwUBPbthCyuD6BT4/R9zEQJMRgCePzKSUTDlA5DOvzXkEeOQa6RkUu0Anjxc
fc/pQLRvpx8eOVEsjhavg8xS
=q5ho
-----END PGP SIGNATURE-----
________________________________________________
Current version is 1.61 | "Using TBUDL" information:
http://www.silverstones.com/thebat/TBUDLInfo.html
