> And for that particular worm there's no need to match the body :
> /etc/procmailrc :
> :0
> * ^ Content-Disposition: Multipart message
> /var/log/spam/sircam
>
> The Content-Disposition: Multipart message is incorrect. No false-positive
> in more than one week on an university server.
Right, but you don't get them all; in yesterday's mail,
3,521 match on body (first line of encoded virus)
TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAA
2,785 match on header
Content-Disposition: Multipart message
Also seen: 'Content-disposition: Multipartmessage' (several),
'Content-Disposition: MULTIPART' (one), no Content-disposition header,
and bounces with the virus message inside them as a mime part.
Joseph Brennan [EMAIL PROTECTED]
Academic Technologies Group, Academic Information Systems (AcIS)
