dealing with email from "Mydoom" worm
Jef Poskanzer
jef at acme.com
Wed Jan 28 21:35:21 CET 2004
>I know i'm getting off-topic, but that string does not occur
>in every instance of the worm's payload. So many/most of them
>will slip through that filter.
Here's the rule I'm using:
:0 B
* ^Content-Transfer-Encoding:.*base64
* ^UEsDBAoAAAAAA
/dev/null
I suspect this dumps all .zip files, not just wormy ones, but
I Don't Care.
Also, here's the similar rule that dumps all Windows executables:
:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAMAAAAEAAAA//8AALg
/dev/null
More information about the Bogofilter
mailing list