[Mimedefang] klez detection

[Joseph Brennan]

>          if (join("",@{$entity->body}) =~ /TVqQAAMAAAAEAAAA/) {
>             md_log('klez_virus', $fname, $type);


This is pretty accurate:

AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW

I think that's the second line.

Yes I do know of a false positive, one case in over a year
of using this with procmail.  That one was a Windows executable
said to be not Klez.

Joseph Brennan          Columbia University in the City of New York
postmaster at columbia.edu                 Academic Technologies Group