[pmmail-list] SirCam Virus Filtering Update

[Kris Sorem Sr]

On Sun, 05 Aug 2001 08:08:59 +0200 (MES), Lueko Willms wrote:

>  Comments: 
>
>  Why "!(m.size<"137216")? Why not simply m.size>"137216" or
>m.size>"137215"?

My preference. I maintain consistency of format across all my filters.
!(m.size<"137216") represents message size>=134k. Your suggestions will
accomplish the same thing since every message has some overhead. Use
them if you wish. My filter is only a suggestion. It can be used, not
used, modified, or shortened.

>
>  Seems easier to understand to me. 

If it is easier to understand for you then you should use it.

>
>  Second: in the body it is either the english pair or the spanisch
>pair, so 
>
>  ((b="Hi! How are you?" & b="See you later. Thanks") |
>   (b="Hola como estas?" & b="Nos vemos pronto, gracias"))
>
>  seems to be more accurate. I think in an earlier post you had it
>this way, too. 

You are correct on both statements. However, I had a report that an
equivalent filter failed to catch a message indicating a possible
mutation. The updated filter will still catch the dual pairs but
provides for the possibility of mutation.

>
>  As to the "date:" header being not capitalized, I have observed it
>too. Why the virus experts at Norton Antivirus Center or McAffee
>don't report it, I don't know. Maybe they have not looked at it or
>they think that the normal user doesn't see the headers anyway. 

I have found no consistency here. The AV community probably haven't
either. It could also be that some mail clients do not permit filtering
on the header. I don't have experience with every possible client.
--
JMO, 
/s/~Kris
-------------------------------+------------------------------------------



- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com