On Tue, 24 Jul 2001, Mark Morley wrote:
> Yesterday I added this to my filter and in less than 24 hours it's
> caught over 4,100 copies of the Sircam virus:
>
> if "$message_body" contains "Hi! How are you" and
> "$message_body" contains "See you later" and
> "$message_body" contains "TVpQAAIAAAAEAA8A" then
> seen finish
> endif
>
> It's probably not foolproof, but it's working here with no false positives
> so far (I was getting false positives until I added the third check, which
> is just the first few bytes of the MIME encoded attachment).
For one thing it will let the Spanish varients of this virus through -
that openning/closing text is just the English varient. The virus decides
which to send based on the settings of the infected machine. I've
seen *plenty* of both in our frozen message pile today. :-)
Tatty bye,
Jim'll
