[vox-tech] Virus deluge
Karsten M. Self
vox-tech@lists.lugod.org
Thu, 29 Jan 2004 07:26:01 -0800
--JgQwtEuHJzHdouWu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
on Tue, Jan 27, 2004 at 10:39:17PM -0800, Mark K. Kim (markslist@cbreak.org=
) wrote:
> On Tue, 27 Jan 2004, Karsten M. Self wrote:
>=20
> > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
> > > :0 B
> > > * -1
> > > * 1^0 ^Content-Transfer-Encoding: base64
> > > * 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHt=
wAj2d9r
> > > * 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZ=
XguXrNq
> > > * 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40=
AUMvgDP
> > > * 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1T=
jemh5hk
> > > * 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5=
tSGRWLV
> > > * 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2=
UWskGOE
> > > {
> > > LOG=3D"LOG: Virus: (Mydoom / Novar)"
> > >
> > > :0:
> > > Virus/
> > > }
> > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
>=20
> I'm new to procmail so can I ask some questions?
>=20
> What do ":0 B", "-1", and "1^0" do? Does LOG do anything?
Peter got most of this.
:<number> starts a recipie. Used to be that <number> was (IIRC) the
number of lines in the recipie. Now it's typically set to 0, and has no
special significance.
'B' scans body
: *after* '0' indicates a lockfile. Any rule that writes to a file
_should_ use a lockfile. Rules which invoke a program '| command'
or delivery '! address' _don't_ need a lockfile.
For more information: man procmail; man procmailrc; man procmailex
* <number>
* <number>^<number>
=2E..are scoring rules. The first number says what to add. The
second says when to add it, and by how much. I understand this only
vaguely. =20
Essentially:
- No trailing value means "apply this score once in the evaluation of
this recipie".
- A trailing '0' means "apply this score once and only once if it is
matched"
- A trialing '1' means "add the score for *each* occurance of a match.
- 0 <x<1 : Each successive match contributes less than the prior one.
The score asymptotically approaches a value.
- 1 < x : Each successive match contributes more than the prior one.
The score grows asymptotically.
For more information: man procmailsc
The rule says, in English:
- Start a recipie. Scan the body.
- Use scoring. Set a default score of '-1' (require two matches for
the rule to take effect)
- Add one for a base64 MIME encoding demarcation.
- Add one for any of the following legacy MS Windows executable
signatures.
- The condition in braces is met if two rules matched.
- (If logging) log that this was a MyDoom virus match.
- Write to the Virus folder, a Maildir directory (the trailing '/'
indicates).
> Thanks! The rules seem to be working so far...
NP.
Peace.
--=20
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Sick of mal-formed websites? A stylesheet to override poor design:
http://twiki.iwethey.org/Main/UserContentCSS
--JgQwtEuHJzHdouWu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAGSYJefG8443k044RAoyFAJ9JWMi6rdGfHz1OpvplSTbiCjJnmwCffmd4
4diYmKHKwLUs5PQPEKw3jiI=
=oTZt
-----END PGP SIGNATURE-----
--JgQwtEuHJzHdouWu--