[Esd-l] Anyone got a procmail signature for Klez?
Graham Dunn
gdunn at inscriber.com
Tue Apr 30 12:47:01 PDT 2002
On Sat, Apr 27, 2002 at 08:53:44PM -0700, John D. Hardin wrote:
> On Fri, 26 Apr 2002, John D. Hardin wrote:
>
> Rev. 0.2:
>
> # Trap Klez (signature as of 04/26/2002)
> #
> :0
> * > 100000
> * ^Content-Type:.*multipart/alternative;
> {
> :0 B hfi
> * \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
> * ^Content-Type:.*audio/
> * ^Content-ID:.*<
> * ^Content-Transfer-Encoding: base64
> * ^TVqQAAMAAAAEAAAA
> | formail -A "X-Content-Security: [$HOST] NOTIFY" \
> -A "X-Content-Security: [$HOST] DISCARD" \
> -A "X-Content-Security: [$HOST] REPORT: Trapped possible Klez worm - see
> http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html"
> }
Just as an aside ... can/does the sanitizer use the envelope-from to
reply to (rather than the From: in the message)? I hate to think I've
been spamming the wrong people :/
Graham
More information about the esd-l
mailing list