On May 10, 8:27am, John W Baxter wrote:
> Subject: Re: [Exim] the Klez virus
> At 12:20 +0100 5/10/2002, Neil Long wrote:
> >A simple
> >
> >if $message_body contains "AAAAAAAA 2AAAAA4fug4AtAnNIbgBTM0hVGhpc" then
> >freeze text "Klez"
> >endif
> >
> >will give you something to refine - better to also filter on body
> >length, etc as the above would trap this email (of course).
>
> I dropped a run of spaces into the test's target (it has none).
>
> How far down the KLEZ messages does this data appear (how much do we have
> to lengthen message_body_visible to reach it)? Rhetorical question, as I
> have plenty of sample KLEZ available to look at. The default 500 bytes
> pretty clearly isn't enough.
>
> --John
It is the second line of the base-64 section - just a couple of lines
down from the section headers.
I wouldn't have though much more than 500 bytes in - I use
message_body_visible = 5000
on my own machines but it catches them all on at least one host
where this is not defined and the default is taken.
I am suprised your samples of virus laden mail aren't triggering.
It seems to work for -E and -G (aka -H) variants
regards
Neil
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dr Neil J Long, Computing Services, University of Oxford
13 Banbury Road, Oxford, OX2 6NN, UK Tel:+44 1865 273232 Fax:+44 1865 273275
EMail: Neil.Long@???
PGP: ID 0xE88EF71F OxCERT: oxcert@??? PGP: ID 0x9FF898D5