Re: Procmail virus recipies (was Re: Mimail Virus.)
Karsten M. Self wrote: > Since nobody in their right mind whom I don't already know would send me > a MSFT executable, procmail rules... Thanks for sharing your procmail rules. Let me recommend a very simple but for me effective set of virus scanner rules for procmail. I have been having good success using YAVR (Yet Another antiVirus Recipe). You can find it on freshmeat.net. Here is the home page. http://agriroot.aua.gr/~nikant/nkvir/ It is very nicely done and I have replaced my own recipes with it. Bob pgp0.pgp Description: PGP signature
Re: Procmail virus recipies (was Re: Mimail Virus.)
On Wed, 19 Nov 2003 11:58:05 -0800
"Karsten M. Self" <[EMAIL PROTECTED]> wrote:
> on Wed, Nov 19, 2003 at 06:42:40AM +0800, David Palmer ([EMAIL PROTECTED]) wrote:
> > Hello,
> >
> > Just saw this in Eweek, so I thought that I would forward it to the
> > list.
> >
> > http://www.eweek.com/article2/0,4149,1383915,00.asp
>
> Since nobody in their right mind whom I don't already know would send me
> a MSFT executable, procmail rules...
>
> "chkmail" comes from the 'spamfilter' package.
>
> Two methods. Take your pick.
>
>
> By MIME-encoded signature:
>
>
> # Win32 executables (viruses and any other attachment)
> # Wed Sep 24 21:09:03 BST 2003
> :0 B
> * ^Content-Transfer-Encoding:.*base64
> * ^TVqQAAME//8AALg
> * 4fug4AtAnNIbg
> {
> LOG="LOG: [virus: win32 exe] "
>
> :0
> Virus/
> }
>
>
>
>
> By extension:
>
>
> WINDOWS_EXECUTABLE_EXT="(ADE|ADP|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DLL|DO.|EXE|HLP
> |HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|OCX|PCD|PIF|POT|PPT|REG|
> SCR|SCT|SHB|SHS|SYS|SYS|URL|VB|VBE|VBS|WSC|WSF|WSH|XL.)"
>
>
> :0B
> * ^Content-Type: .*; name=.*\.$WINDOWS_EXECUTABLE_EXT['"]*
> {
>
> :0c
> | ! chkmail --header "From|Sender" $WHITELIST
>
> :0a
> {
> LOG="LOG: (Virus!: MSFT executable"
>
> # Train spamassassin
> :0c
> | sa-learn --spam --single
>
> :0:
> Virus/
>
> }
>
>
>
> Peace.
>
Thankyou.
Regards,
David.
http://www.ctheory.net/text_file.asp?pick=402
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Procmail virus recipies (was Re: Mimail Virus.)
on Wed, Nov 19, 2003 at 06:42:40AM +0800, David Palmer ([EMAIL PROTECTED]) wrote:
> Hello,
>
> Just saw this in Eweek, so I thought that I would forward it to the
> list.
>
> http://www.eweek.com/article2/0,4149,1383915,00.asp
Since nobody in their right mind whom I don't already know would send me
a MSFT executable, procmail rules...
"chkmail" comes from the 'spamfilter' package.
Two methods. Take your pick.
By MIME-encoded signature:
# Win32 executables (viruses and any other attachment)
# Wed Sep 24 21:09:03 BST 2003
:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAME//8AALg
* 4fug4AtAnNIbg
{
LOG="LOG: [virus: win32 exe] "
:0
Virus/
}
By extension:
WINDOWS_EXECUTABLE_EXT="(ADE|ADP|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DLL|DO.|EXE|HLP
|HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|OCX|PCD|PIF|POT|PPT|REG|
SCR|SCT|SHB|SHS|SYS|SYS|URL|VB|VBE|VBS|WSC|WSF|WSH|XL.)"
:0B
* ^Content-Type: .*; name=.*\.$WINDOWS_EXECUTABLE_EXT['"]*
{
:0c
| ! chkmail --header "From|Sender" $WHITELIST
:0a
{
LOG="LOG: (Virus!: MSFT executable"
# Train spamassassin
:0c
| sa-learn --spam --single
:0:
Virus/
}
Peace.
--
Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
http://sco.iwethey.org/
pgp0.pgp
Description: PGP signature
