[Esd-l] So.Big rule
John D. Hardin
jhardin at impsec.org
Thu Aug 28 19:21:12 PDT 2003
On Thu, 28 Aug 2003, Sergio Cesar wrote:
> Is this how this rule should look now?
> (watch for the line wrap)
> Sergio
>
> # Trap SoBig (signature as of 06/26/2003) updated 08/21/2003, 08/28/2003
> #
> :0
> * > 98000
> * < 130000
> * ^Content-Type:.*multipart/mixed;
Eek. I just realized that won't match bounces that aren't in RFC822
format. Change it to:
> * HB ?? ^Content-Type:.*multipart/mixed;
> * HB ?? ^X-MailScanner: Found to be clean
> {
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
65 days until Matrix Revolutions
More information about the esd-l
mailing list