Alan Batie <[EMAIL PROTECTED]> wrote:
> The one I've got looks for a particular string and only in
> likely cases. It shouldn't be filtering *all* exe's unless they
> all have m!^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA! in the first 40
> lines...
Well, a great many of them do. It's certainly not specific to
the Klez virus. But you're right, some executables still slip
through. I'm using m!^TV[pq]QAA[MI]AAAAEAA[8A]A! instead
(copied from SpamAssassin's MICROSOFT_EXECUTABLE test), since I
do want to reject all executables.
I've also added these lines to reject small messages with
zipped attachments (like those the MyDoom virus sends):
return (DENY, "Probable zipped virus detected")
if $seen_klez_signature
and m!^UEsDBAoAAAAAA!
and $transaction->body_size < 40_000;
--
Keith C. Ivey <[EMAIL PROTECTED]>
Washington, DC
