Can bogofilter filter Swen

p at dirac.org p at dirac.org
Tue Sep 23 19:51:09 CEST 2003 

hi stephen,

i have a procmail solution.  it works perfectly, for all win32
executable viruses:



# Broad antivirus recipe:
#
# Look at attachment content.  The 2nd condition is the header of a
# win32 exe encoded with base64.  No matter how the virus is named,
# that header MUST have this specific form, or it won't be recognized
# by Windows as an exe.  So every # attachment that starts with
# TVqQAAMAAAAEAAAA//8AALg is a win32 program: a # potential virus.
# The 3rd condition is the string "this program cannot be run in
# MS-DOS mode" encoded in base64.  It's helps avoid false positives.
#
# Thank you Roland Smith <rsmith at xs4all.nl>
#
:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAMAAAAEAAAA//8AALg
* 4fug4AtAnNIbg
{
   LOG="[virus: win32 exe]     "

   :0
   /dev/null
}



this recipe works perfectly.  i haven't gotten a single win32 virus in
my inbox.  nothing.  not klez, not yaha, not sobig, not swen.  nada.
zip.  zero.

the only thing i DO get in my inbox are those stupid messages by RAV
antivirus telling me that it removed an executable that was probably a
virus but still delivered the text portion "dear microsoft customer...".

hopefully, bogofilter will help filter THOSE messages...  ;)

pete



On Wed 24 Sep 03,  1:31 AM, Stephen Liu <satimis at icare.com.hk> said:
> Hi all folks,
> 
> 
> RH9
> Evolution 1.4
> =============
> 
> I just join this list.
> 
> W32/Swen has been attacking my PC for more than 3 days.  It disguised as
> M$ support mail, junk mails, and transform rapidly, changing Sender and
> Recipient Addresses, Subject, etc.  Although it causes no damage to my
> PC but a lot of deleting work was faced.  It also occupied band width. 
> The M$ junk mails were downloaded from ISP server via POP3 on Evolution
> email folder.  Filter on Evolution could not filter them.  
> 
> I am searching hard for a solution.  Kindly advise can bogofilter do the
> job?
> 
> Thanks in advance.
> 
> B.R.
> Stephen Liu
> 
> 
> To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
> 
> ---------------------------------------------------------------------
> FAQ: http://bogofilter.sourceforge.net/bogofilter-faq.html
> To unsubscribe, e-mail: bogofilter-unsubscribe at aotto.com
> For summary digest subscription: bogofilter-digest-subscribe at aotto.com
> For more commands, e-mail: bogofilter-help at aotto.com
> 

-- 
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D

More information about the Bogofilter mailing list