Hi,
I have changed the Nigels system_filter (version 0.8) this way:
----------------------------------------------------------------------------
-----------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header [vb2_regexp]
# Endung "shs" , "js" , "chm" und "scr" hinzugefügt, db, 20.6.2000
if $header_content-type: matches
"(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|js|exe|pif|com|chm|shs|sc
r|pif|mpg|mp3|bat)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|js|exe|pif|com|chm
|shs|scr|pif|mpg|mp3|bat))"
then
...
seen finish
endif
----------------------------------------------------------------------------
-----------------
but it did not block this virus-infected mail with empty From-Header:
----------------------------------------------------------------------------
-----------------
Message-ID: <200102220928.KAA15560@???>
Subject:
Date: Thu, 22 Feb 2001 10:28:49 +0100
MIME-Version: 1.0
Content-Type: application/octet-stream;
name="MJECLHMJ.EXE"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="MJECLHMJ.EXE"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAA ...
----------------------------------------------------------------------------
-----------------
With embedded attachments the filter works fine, and has been a good help
against a lot of virus-attacks.
Thank you for any help.
Klaus Diebold
Informatik
Georg Thieme Verlag
Tel. 0711-8931-230
