[vox-tech] the answer to all my virus problems

Ken Bloom vox-tech@lists.lugod.org
Tue, 23 Sep 2003 22:46:28 -0700


--AqsLC8rIMeq19msA
Content-Type: text/plain; Format=Flowed; DelSp=Yes; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


On 2003.09.20 14:56, p@dirac.org wrote:
> roland smith, whom i met while googling shared a *wonderful* procmail
> recipe that catches windows viruses.  it's made my life bearable.
> here
> it is:
>=20
>=20
>=20
> # Broad antivirus recipe:
> #
> # It looks at the contents of attachments. The 2nd condition is the
> header of
> # a win32 exe encoded with the base64 algorithm. No matter how the
> virus is
> # named, that header MUST have this specific form, or it won't be
> recognized
> # by windows as an executable.  So every attachment that starts with
> # TVqQAAMAAAAEAAAA//8AALg is a win32 program and a potential virus.
> The 3rd
> # condition is the string "this program cannot be run in MS-DOS mode"
> encoded
> # in base64.  It's there just to be sure, and avoid false positives.
> #
> :0 B
> * ^Content-Transfer-Encoding:.*base64
> * ^TVqQAAMAAAAEAAAA//8AALg
> * 4fug4AtAnNIbg
> {
> 	LOG=3D"[virus: win32 exe]     "
>=20
> 	:0
> 	DUMP
> }
>=20
>=20
> just cut and paste into .procmailrc and your 99E999 swen viruses per
> day
> wil be placed into $MAILDIR/DUMP (or /dev/null if that's what you
> want).
>=20
>=20
> the guy had some good procmail recipes on his website:
>=20
> http://www.xs4all.nl/~rsmith/spamblock.html

This rule will be useless on UC Davis email accounts except possibly in =20
the first couple hours of an attach. UC Davis uses MIMEDefang on all of =20
its incoming emails, so the attachment was stripped but the messages =20
kept propagating to my email address. Unfortunately, MIMEDefang doesn't =20
seem to leave any indication behind when it removes something, so I =20
couldn't grep for that. For the W32.Swen.A@mm, I just grep for some of =20
the data in its images (Spamassassin's bayenessian filter wasn't doing =20
such a good job of stopping this virus from appearing in my inbox):

# Filter away the (MimeDefang'ed) W32.Swen.A@mm virus
:0 B:
* ^zIGArlZWu25ux319xWpqnnNzppaWy46
* ^3EWC31mS40Zxr4uw6LXN8iZkuXmn5
* ^Content-transfer-encoding: base64
probably-virus/.


--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 6/10/2003. If you use GPG, *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***

--AqsLC8rIMeq19msA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQA/cS+0lHapveKyytERAh05AJ4sxPFrGfQ5pu6bUx+Hha7AUuOL9wCfbtZh
dm4HmeAf/uDgziAEWwExLT8=
=f8J8
-----END PGP SIGNATURE-----

--AqsLC8rIMeq19msA--