[SAtalk] audio/x-wav rule suggestion

Tue, 23 Jul 2002 22:00:27 -0700 

I have been getting a lot of audio (Klez virus) files lately.  There
is not enough for SA to grip onto right now.  Perhaps something like
the following?

body XWAV_IN_BODY               /Content-Type:\s*audio\/x-wav/i
describe XWAV_IN_BODY           x-wav audio in body of mail
score XWAV_IN_BODY              3.5

That is not quite what I want.  First, it does not trigger on this
message I think because of the mime chaining?  Shouldn't that body
rule match?  Secondly, I wanted audio/x-wav with a name that ends in a
virus indicator like *.(bat|exe|others).  Perhaps someone can improve
this toward that goal.

Bob

Example snippet, rot13'd to avoid being tagged as the Klez virus:


ZVZR-Irefvba: 1.0
Pbagrag-Glcr: zhygvcneg/nygreangvir;
        obhaqnel=C8m288FT8VvC2A6834sL84NXdWB2112P
Zrffntr-Vq: <[EMAIL PROTECTED]>
K-Fcnz-Fgnghf: Ab, uvgf=1.1 erdhverq=5.0
        grfgf=SEBZ_ANZR_AB_FCNPRF,UGZY_VA_OBQL,ERYNLVAT_SENZR
        irefvba=2.31
K-Fcnz-Yriry: *
Sebz: jnxbh <[EMAIL PROTECTED]>
Gb: [EMAIL PROTECTED]
Fhowrpg: Cyrnfr gel ntnva
Qngr: Ghr, 23 Why 2002 09:35:26 -0700

--C8m288FT8VvC2A6834sL84NXdWB2112P
Pbagrag-Glcr: grkg/ugzy;
Pbagrag-Genafsre-Rapbqvat: dhbgrq-cevagnoyr

<UGZY><URNQ></URNQ><OBQL>
<vsenzr fep=3Qpvq:ITXjDB3TGX8 urvtug=3Q0 jvqgu=3Q0>
</vsenzr>
<SBAG></SBAG></OBQL></UGZY>

--C8m288FT8VvC2A6834sL84NXdWB2112P
Pbagrag-Glcr: nhqvb/k-jni;
        anzr=Emk.ong
Pbagrag-Genafsre-Rapbqvat: onfr64
Pbagrag-VQ: <ITXjDB3TGX8>

GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNN2NNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4t
[...]


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to