[NTL] (HOWTO) Surprisingly simple Procmail recipe
William Park
opengeometry-FFYn/CNdgSA at public.gmane.org
Sat Jun 5 18:20:32 UTC 2004
On Sat, Jun 05, 2004 at 11:26:57AM -0400, JoeHill wrote:
> This will catch not only the Nigerian money-scam stuff, but virii and
> pr0n too:
>
> http://agriroot.aua.gr/~nikant/nkvir/
I looked at it. It's too labour intensive. Every time a new worm comes
out, you have to update the recipe. I currently use
:0 D
* > 140000
* < 180000
* boundary="-*[a-z]+"
spam.swen
:0 D
* > 35000
* < 45000
* boundary="(----=_NextPart_000_0016----=_NextPart_000_0016|----=_NextPart_000_001B_01C0CA8(0.6|1.7)B015D10)"
spam.netsky
for Microsoft Swen and Netsky worms, because they are the 2 most
prolific. Also,
boundary="-*[a-z]+"
boundary="(--(--)?)?[0-9]+"
boundary="(--(--)?)?[0-9A-Z._]+"
alone are strong indicator of spam. However, Mozilla (Windows) uses
'-{12}[0-9]{24}' for boundary pattern, so you cannot use something like
'-*[0-9]+'.
For general binary attachments, I find
:0
* Content-type: multipart/
{
:0 B
* 1^0 ^Content-type: image/(gif|jpeg|bmp)
* 1^0 ^Content-type: audio/(x-midi|x-wav)
* 1^0 ^Content-type: application/(octet-stream|(x-ms)?download|x-zip-compressed)
spam.binary
}
sufficient for my purpose.
--
William Park, Open Geometry Consulting, <opengeometry-FFYn/CNdgSA at public.gmane.org>
No, I will not fix your computer! I'll reformat your harddisk, though.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list