if
$h_content-type: contains "multipart\/related" and
$h_content-type: contains "type=\"multipart\/alternative\";" and
$h_content-type: contains "boundary=\"====_ABC1234567890DEF_====\""
then
this was originally for nimda (not that it had caught any of them,
seems like this server was just lucky), but it's been catching
badtrans without a problem, and without any false positives. from
that, i concluded that this is a habit amongst these worms, and
changed the wording of the fail message from mentioning nimda to
mentioning just a 'worm virus', and decided to keep that in for the
time being. or, at least as long as it doesn't start producing false
positives.
(for some reason i have the feeling that this boundary isn't valid
anyway, but i was too lazy to read about it. anyone done that perhaps
? :)
