[vox-tech] the answer to all my virus problems
R. Douglas Barbieri
vox-tech@lists.lugod.org
Sat, 20 Sep 2003 15:17:32 -0700
--gj572EiMnwbLXET9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Sep 20, 2003 at 02:56:04PM -0700, p@dirac.org wrote:
> roland smith, whom i met while googling shared a *wonderful* procmail
> recipe that catches windows viruses. it's made my life bearable. here
> it is:
>=20
>=20
>=20
> # Broad antivirus recipe:
> #
> # It looks at the contents of attachments. The 2nd condition is the heade=
r of
> # a win32 exe encoded with the base64 algorithm. No matter how the virus =
is
> # named, that header MUST have this specific form, or it won't be recogni=
zed
> # by windows as an executable. So every attachment that starts with
> # TVqQAAMAAAAEAAAA//8AALg is a win32 program and a potential virus. The =
3rd
> # condition is the string "this program cannot be run in MS-DOS mode" enc=
oded
> # in base64. It's there just to be sure, and avoid false positives.
> #
> :0 B
> * ^Content-Transfer-Encoding:.*base64
> * ^TVqQAAMAAAAEAAAA//8AALg
> * 4fug4AtAnNIbg
> {
> LOG=3D"[virus: win32 exe] "
>=20
> :0
> DUMP
> }
Hey, I wonder if it would work as an exim system filter? This would be
great to just throw out exe attachments system-wide.
> just cut and paste into .procmailrc and your 99E999 swen viruses per day=
=20
> wil be placed into $MAILDIR/DUMP (or /dev/null if that's what you want).
>=20
>=20
> the guy had some good procmail recipes on his website:
>=20
> http://www.xs4all.nl/~rsmith/spamblock.html
>=20
> enjoy!
> pete
>=20
> --=20
> GPG Instructions: http://www.dirac.org/linux/gpg
> GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
--=20
R. Douglas Barbieri
doug@dooglio.net
http://www.dooglio.net
vi: "The way God meant for man to edit text files..."
GPG Fingerprint: FE6A 6A57 2B95 7594 E534 BFEE 45F1 9E5E F30A 8A27
GPG Public key : http://www.dooglio.net/dooglio.asc
--gj572EiMnwbLXET9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQCVAwUBP2zR/EXxnl7zCoonAQIq6gP/fKhWLStxTfv6PozMEwVN9jGykAcmPbmh
E+zRMXNNs/4QQ7RdscoaJY53WmpQf6uOu2QS7bW3EqWvUnBzGxuu9iR66lHwmw7n
cgIY6DsFuhX21VneY+ueJOZdk1oBdMgahuZy6Am92+IHFb9556tMdaV2d1mJumZa
wp7tp2Cudsg=
=Tz2s
-----END PGP SIGNATURE-----
--gj572EiMnwbLXET9--