Re: [Exim] the Klez virus

Top Page
Delete this message
Reply to this message
Author: dman
Date:  
To: exim-users
Subject: Re: [Exim] the Klez virus
--
On Fri, May 10, 2002 at 08:27:31AM -0700, John W Baxter wrote:
| At 12:20 +0100 5/10/2002, Neil Long wrote:
| >A simple
| >
| >if $message_body contains "AAAAAAAA    2AAAAA4fug4AtAnNIbgBTM0hVGhpc" then
| >freeze text "Klez"
| >endif
| >
| >will give you something to refine - better to also filter on body
| >length, etc as the above would trap this email (of course).


| How far down the KLEZ messages does this data appear


Depends. Several of the copies I got went through my school address.
They have some sort of filter that drops a premade text/plain section
in above the attachment (and used to strip the attachment too but let
me see the headers of it, now the attachment is still there). These
messages have it pretty far down.

| (how much do we have to lengthen message_body_visible to reach it)?
| Rhetorical question, as I have plenty of sample KLEZ available to
| look at. The default 500 bytes pretty clearly isn't enough.


I also include $message_body_end in my test string just to test
against another section of the message.

-D

--

A wise servant will rule over a disgraceful son,
and will share the inheritance as one of the brothers.
        Proverbs 17:2


GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

--
[ Content of type application/pgp-signature deleted ]
--