On Thursday 04 March 2004 02:12 am, Tim Stoop wrote:
> Op donderdag 4 maart 2004 10:21, schreef Thomas Muller:
> > I've received thousands of emails with the "Latest Microsoft Critical
> > Patch" (various variants). Any rules out therer catching these?
>
> I suggest to not use SpamAssassin for catching virii. Use a virusscanner
> like ClamAV. It catches those mails.
yes here is a maildrop script for it . I have caught tons of these. By the way
clam is lighter on resources than spamassassin so it really is a benefit to
use it for what it was made for.
# If it isn't Spam, then we scan for Virus
# if it is smaller than 2MB in size...
# anything larger... they are on their own
if($SIZE < 2000000)
{
xfilter "scanmail.sh"
}
if ((/^X-Virus-Status:.*INFECTED/))
{
to "$VIRUS"
}
if ((/^X-Amavis-Alert:.*INFECTED/))
{
to "$VIRUS"
}
that should get you started if you need scanmail.sh let me know It's currently
under heavy work but is working perfectly now at any rate.
also here are some other rules for maildrop to make it easier to catch
atachments in general.
# dump all kind of m$ stuff (99.99% virusses)
if (/^Content-Type:.*multipart/ && \
/^Content-Type:.*(audio\/x-|application).*name=.*\.(ad[ep]|asd|ba[st]|chm|
cmd|cpl|crt|dll|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
ocx|ops|pcd|p[ir]f|reg|sc[frt]|sh[bsm]|swf|url|vb[esx]?|vxd|ws[cfh])/:b)
{
log '====> Message contained typical M$ attachement.'
to "$VIRUS"
}
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-