On 2003.09.20 14:56, [EMAIL PROTECTED] wrote:
roland smith, whom i met while googling shared a *wonderful* procmail recipe that catches windows viruses. it's made my life bearable. here it is:
# Broad antivirus recipe: # # It looks at the contents of attachments. The 2nd condition is the header of # a win32 exe encoded with the base64 algorithm. No matter how the virus is # named, that header MUST have this specific form, or it won't be recognized # by windows as an executable. So every attachment that starts with # TVqQAAMAAAAEAAAA//8AALg is a win32 program and a potential virus. The 3rd # condition is the string "this program cannot be run in MS-DOS mode" encoded # in base64. It's there just to be sure, and avoid false positives. # :0 B * ^Content-Transfer-Encoding:.*base64 * ^TVqQAAMAAAAEAAAA//8AALg * 4fug4AtAnNIbg { LOG="[virus: win32 exe] "
:0 DUMP }
just cut and paste into .procmailrc and your 99E999 swen viruses per day wil be placed into $MAILDIR/DUMP (or /dev/null if that's what you want).
the guy had some good procmail recipes on his website:
http://www.xs4all.nl/~rsmith/spamblock.html
This rule will be useless on UC Davis email accounts except possibly in the first couple hours of an attach. UC Davis uses MIMEDefang on all of its incoming emails, so the attachment was stripped but the messages kept propagating to my email address. Unfortunately, MIMEDefang doesn't seem to leave any indication behind when it removes something, so I couldn't grep for that. For the [EMAIL PROTECTED], I just grep for some of the data in its images (Spamassassin's bayenessian filter wasn't doing such a good job of stopping this virus from appearing in my inbox):
# Filter away the (MimeDefang'ed) [EMAIL PROTECTED] virus :0 B: * ^zIGArlZWu25ux319xWpqnnNzppaWy46 * ^3EWC31mS40Zxr4uw6LXN8iZkuXmn5 * ^Content-transfer-encoding: base64 probably-virus/.
-- I usually have a GPG digital signature included as an attachment. See http://www.gnupg.org/ for info about these digital signatures. My key was last signed 6/10/2003. If you use GPG, *please* see me about signing the key. ***** My computer can't give you viruses by email. ***
pgp00000.pgp
Description: PGP signature
