dealing with email from "Mydoom" worm
Bill Wohler
wohler at newt.com
Thu Jan 29 22:45:48 CET 2004
Fred Yankowski <fred at ontosys.com> writes:
> # NOTES: Content-Type headers inside the document body typically have
> # their 'name' attribute on the following line. Since this is not in the
> # header of the message, procmail does not fold these lines together,
> # and so there is no way to be sure that we are matching the name
> # attribute that is associated with a content-type of
> # application/octet-stream. We get a false-positive match on a
> # message with multiple attachments, one of type
> # application/octet-stream and another with one of the bad names. Oh
> # well.
You could use the $ regexp to match a newline. The following rule
matches whether the name (or filename) parameter is on the same line as
the Content-Type or Content-Disposition header field or not and doesn't
care about the actual content type. Note that that parameter is
"filename" in the Content-Disposition header field.
:0 B:
* ^Content-Transfer-Encoding:.*base64
* ^Content-(Type|Disposition):.*$?.*name *=.*\.(bat|cmd|exe|pif|scr|zip)
spam/exe/.
--
Bill Wohler <wohler at newt.com> http://www.newt.com/wohler/ GnuPG ID:610BD9AD
Maintainer of comp.mail.mh FAQ and MH-E. Vote Libertarian!
If you're passed on the right, you're in the wrong lane.
More information about the Bogofilter
mailing list