Re: [Exim] Regex gurus - KLEZ

Top Pagina
Delete this message
Reply to this message
Auteur: sharun
Datum:  
Aan: Odhiambo G. Washington, Exim Users
Onderwerp: Re: [Exim] Regex gurus - KLEZ
if $message_body matches "Content-Type: application/octet-stream;.*(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))" and
$h_X-Mailer: is ""
then
  fail text "This message has been rejected because it has\n\
             potentially executable content (Klez virus ?)\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif



Odhiambo G. Washington wrote:
> I am wondering if someone has written a filter regex that would take care of a
> situation like the one I have below where (most important, I think) the
> second line keeps on changing, with the extension rather constant between
> htm|jpg - this is KLEZ.
>
>
> Content-Type: application/octet-stream;
>         name=getmsg[26].htm
> Content-Transfer-Encoding: base64
> Content-ID: <K1S5eo704zep2WSR>

>
>
> Content-Type: application/octet-stream;
>         name=butterfly1[1].jpg
> Content-Transfer-Encoding: base64
> Content-ID: <SS727gz732172G4A9>

>
>
>
> Content-Type: application/octet-stream;
>         name=sexygirl[12].jpg
> Content-Transfer-Encoding: base64
> Content-ID: <SS727gz732892G4A9>

>
>
>
> Thanks.
>
>
>
> -Wash
>
> --
>                        /"\
> Odhiambo Washington    \ /     ASCII Ribbon Campaign
> Wananchi Online Ltd.,   X      Against HTML Mail,
> PO Box 10286,          / \     HTML News Too, and
> 00100 NAIROBI, KE.            MS WORD docs.
> ++

>
>
> Wisdom begins in wonder.
> -Socrates
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>


--
VVS56-RIPE