dealing with email from "Mydoom" worm
Bill Wohler
wohler at newt.com
Tue Feb 3 06:00:20 CET 2004
"Eric Wood" <eric at interplas.com> writes:
> Bill Wohler wrote:
>> Fred Yankowski <fred at ontosys.com> writes:
>> name (or filename) parameter is on the same line
>> as the Content-Type or Content-Disposition header field or not
>
>> :0 B:
>> * ^Content-Transfer-Encoding:.*base64
>> * ^Content-(Type|Disposition):.*$?.*name
>> *=.*\.(bat|cmd|exe|pif|scr|zip) spam/exe/.
>
> Bill,
> I'm glad you sent that email. I've been wondering how to catch newlines
> with a $.
I can't claim originality on that. I found it after a Google search.
However, my value added is that I have one pattern instead of two. The
rule I saw had two patterns--one with and without the newline. The
question mark after the dollar sign folds the two patterns into one.
But yes, I agree with you. The $ is an interesting and useful procmail
trick.
p.s. Lots of mydoom shrapnel (the mailer-daemon bounces) is still
appearing in my inbox.
--
Bill Wohler <wohler at newt.com> http://www.newt.com/wohler/ GnuPG ID:610BD9AD
Maintainer of comp.mail.mh FAQ and MH-E. Vote Libertarian!
If you're passed on the right, you're in the wrong lane.
More information about the Bogofilter
mailing list