Andromeda's latest filter detects for the specific ILOVEYOU VBS worm.
How good a filter can we come up with for generic VBS embeddeds - I
fear that there will be a rash of follow ons on this one pretty soon.
I am not a filter expert :-(, and have not tested this, but how about
something like this as a starting point:-
if ($message_body matches "^\\s+name=[A-Za-z0-9_-.]+.[vV][bB][sS]" or
$message_body matches "^begin \\d\\d\\d .+\\.[vV][bB][sS]")
... then/action/endif
Do all MS MIME senders send attachments that way - ie name= line on a
new line with just leading spaces??
[NB for those following... matches does regexp comparisons... but there
is a problem with quoting - hence the \\ in there. Is a ^ [beginning
of line anchor] OK to use here, or does it have to match a previous
line end character instead?]
Nigel.
--
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
