I have not seen one specific From/To/Subject pattern to catch a rule on.
The only thing this virus has in common is a '.exe'. Interestingly enough,
it seems that all the really bad worms have attachments that are .bat, .pif,
.scr, .exe, or .com. Most of the fairly tame ones hide in other documents.
So my little Procmail filter for these attachment *names* has done well
catching all of them.
:0 Bw
*
.*name=.*\.(com|cpl|chm|crt|exe|hlp|lnk|ms[cipt]|ocx|pcd|p[ir]f|scr|sh[bs])(
"|$)
* ^Content-Transfer-Encoding: base64
FILENAME=| egrep '[ ]name=' | egrep -v '(GENERATOR\>|Microsoft|3D)' |
sed 's/.*name= */:/; s/"//g'
:0 a fw
| formail -A "X-Merlin: Attachment Failed - Binary"
I have multiple setups to classify the extension but they all follow the
same pattern. You might be able to modify it for your needs.
body MY_BAD_ATTACHMENTS /name=.*\.(com|pif|scr|exe|bat)("|$)/i
--Larry
> -----Original Message-----
> From: Forrest Aldrich
> This new virus appears to generate many (random?) subjects,
> so it's getting difficult to narrow down.
>
> Has anyone filters for Spamassassin that will correctly identify
> this virus? I'd like to score this one high so they are rejected
> (via spamass-milter)... it's been a huge problem all day.
>
> The fake messages have a preamble like this:
>
> >>>>>>>>>
> MS User
>
> this is the latest version of security update, the "September 2003,
> Cumulative Patch" update which eliminates all known security
> vulnerabilities affecting MS Internet Explorer, MS Outlook
> and MS Outlook Express as well as three newly discovered
> vulnerabilities. Install now to continue keeping your computer
> secure from these vulnerabilities. This update includes the
> functionality of all previously released patches.
> <<<<<<<<<
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
