[vox-tech] the answer to all my virus problems
Ken Bloom
vox-tech@lists.lugod.org
Sun, 21 Sep 2003 11:43:58 -0700
--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; Format=Flowed; DelSp=Yes; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2003.09.20 14:56, p@dirac.org wrote:
> roland smith, whom i met while googling shared a *wonderful* procmail
> recipe that catches windows viruses. it's made my life bearable.
> here
> it is:
>=20
>=20
>=20
> # Broad antivirus recipe:
> #
> # It looks at the contents of attachments. The 2nd condition is the
> header of
> # a win32 exe encoded with the base64 algorithm. No matter how the
> virus is
> # named, that header MUST have this specific form, or it won't be
> recognized
> # by windows as an executable. So every attachment that starts with
> # TVqQAAMAAAAEAAAA//8AALg is a win32 program and a potential virus.
> The 3rd
> # condition is the string "this program cannot be run in MS-DOS mode"
> encoded
> # in base64. It's there just to be sure, and avoid false positives.
> #
> :0 B
> * ^Content-Transfer-Encoding:.*base64
> * ^TVqQAAMAAAAEAAAA//8AALg
> * 4fug4AtAnNIbg
> {
> LOG=3D"[virus: win32 exe] "
>=20
> :0
> DUMP
> }
>=20
>=20
> just cut and paste into .procmailrc and your 99E999 swen viruses per
> day
> wil be placed into $MAILDIR/DUMP (or /dev/null if that's what you
> want).
>=20
>=20
> the guy had some good procmail recipes on his website:
>=20
> http://www.xs4all.nl/~rsmith/spamblock.html
>=20
> enjoy!
> pete
Wierdly, I haven't gotten any real copies of the virus since I started =20
sending them to .mail/probably-virus, but I have gotten copies of the =20
virus email with the .exe file already stripped from the message (so it =20
still shows up in my inbox just the same)
I know my procmail isn't working, becuase I just emailed myself a .exe =20
file from my windows partition and the filter caught it and shunted the =20
message off to .mail/probably-virus
--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 6/10/2003. If you use GPG, *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***
--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQA/bfFulHapveKyytERAtDRAJ4yGFZecXxRNCPjqpTOAQhjHryEGACgomON
/urXOhAUs0MA+sI+ehD9EGs=
=oq5G
-----END PGP SIGNATURE-----
--ZPt4rx8FFjLCG7dd--