On Mon, 26 Jan 2004, Brent J. Nordquist <[EMAIL PROTECTED]> wrote:
> So far the ZIP ones are all between 22640 and 22798 bytes inclusive.
> Can someone post a quick example on how to test an attachment's size?
After some archive digging here's what I arrived at, if it's useful to
anyone else. I've tested it with the edge cases for size and it seems to
work fine. This could be tightened further (zip will be 22640-22798, and
the others will only be 22528) but I think this is close enough for an
outbreak. This goes in "sub filter" after the virus section:
my $virre = qr/\.(pif|scr|exe|cmd|bat|zip)$/;
if (re_match($entity, $virre)) {
my $size = (stat($entity->bodyhandle->path))[7];
if ($size >= 22528 && $size <= 22798) {
$VirusName = 'W32/[EMAIL PROTECTED]';
md_graphdefang_log('virus', $VirusName, $RelayAddr);
# Discard the mail! Notify the administrator.
action_discard();
action_notify_administrator("A known virus ($VirusName) was discovered and
deleted.\nThe relaying machine was $RelayAddr\n");
# But quarantine the message for examination later. Comment
# the next line out if you don't want to bother.
action_quarantine_entire_message("The $VirusName virus was discovered;
message discarded.\n");
return;
}
}
--
Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
