Can bogofilter filter Swen
Boris 'pi' Piwinger
3.14 at logic.univie.ac.at
Wed Sep 24 09:13:30 CEST 2003
p at dirac.org wrote:
># Broad antivirus recipe:
>#
># Look at attachment content. The 2nd condition is the header of a
># win32 exe encoded with base64. No matter how the virus is named,
># that header MUST have this specific form, or it won't be recognized
># by Windows as an exe. So every # attachment that starts with
># TVqQAAMAAAAEAAAA//8AALg is a win32 program: a # potential virus.
># The 3rd condition is the string "this program cannot be run in
># MS-DOS mode" encoded in base64. It's helps avoid false positives.
While this might work in the special case of exe
attachments, there are more like scr, bat, com etc. I don't
know if they also start this way, but anyhow, the following
works for me catching all possible viruses, but of course it
also catches all of those "funny" things some people send to
you:
:0:
* ^Content-Type:.*multipart/
* 1^1 B ?? ^Content-Type:.*application/x-msdownload
* 1^1 B ?? ^Content-Type:.*name=.*\.(exe|scr|pif|com|bat)
* 1^1 B ?? ^[ ]+(file)?name=.*\.(exe|scr|pif|com|bat)
* -1^1 B ?? ^[ ]+(file)?name=3D.*\.(exe|scr|pif|com|bat)
virus-suspect
:0:
* 1^0 ^Content-Type:.*application/x-msdownload
* 1^0 ^Content-Type:.*name=.*\.(exe|scr|pif|com|bat)
virus-suspect
pi
More information about the Bogofilter
mailing list