[Mimedefang] klez detection

[Rich West]

Ouch.. at the very least, you could use the File::Scan perl module for 
virus signature detection.  It's VERY simple and rather effective.  It 
makes for a great starting point..

-Rich


Michael Sims wrote:

>I saw this method in the archives, and it is definitely not reliable.  There
>are many legitimate attachments that will have that same sequence of
>characters that are not infected.
>
>My current filter is pretty ugly, but it seems effective.  This is what I do
>inside the filter() sub:
>
>1. Check to see if the message contains an attachment of *.pif or *.scr.  If
>so, log it and discard it.  I can't think of a legitimate reason to send
>those types of attachments in email, and they are VERY prevalent in virus
>infected emails.  By discarding those right off the bat I save my filter
>from having to do a lot of pointless work.  I can't forsee a situation where
>one of my end users calls me and says "help, I can't send this great *.pif
>file to my friend Bob in Accounting..."
>
>2. If the message contains an attachment of type *.exe, *.bat, or *.com, I
>then scan the Subject line against a list of known Klez-variant subject
>lines.  If the subject matches one of the patterns, I log it and discard it.
>This is really ugly, I know, but it seems to be effective.  I'm sure the
>subject scan is an expensive operation, but it only occurs if the message
>contains one of the aforementioned attachment types, and not on all
>messages.
>
>I'm certain there is a better approach, but if you're interested in my
>filter I can send it to you off-list...
>