[Mimedefang] procmail rule for Novarg
Kenneth Porter
shiva at sewingwitch.com
Tue Jan 27 13:08:45 EST 2004
John Hardin, author of the Procmail Sanitizer, just posted the following rule
to the Sanitizer mailing list to catch Novarg. What's needed to translate it
into an MD equivalent? (Another rule after this one does the needed
adminstrative tasks based on the X-Content-Security headers.)
#
# Trap NovArg
# Signature as of 01/26/2004
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
{
:0 B hfi
* ^Content-Type: text/plain;$.*charset="Windows-1252"
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
| formail -A "X-Content-Security: [$HOST] NONOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm
- http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html"
More information about the MIMEDefang
mailing list