[pmmail-list] Complex filter for virus update
Lueko Willms
pmmail-list@blueprintsoftwareworks.com
Mon, 30 Jul 2001 20:15:31 +0200 (MES)
On Mon, 30 Jul 2001 08:27:42 -0500 (CDT), Maynard wrote:
> I'd still like to hear from others if the filter
>
> h-s="date: " & a="YES"
>
> fails to catch any SirCam, or catches any false positives.
Do you think that the PMMail filter is case sensitive?
Also, I would add a "a.size > 130000", because McAffee reported the
length of the virus to be 137'216 bytes.
Still I think, that a filter for that virus should look for the
fixed first and last lines in english and in spanisch, and the
presence of an attachment larger than 130000 bytes.
BTW, one other filter criteria is to have a program run on the
message, and check the return, the program could be a virus checking
program and return either the name of the virus found or an empty
string. By this way, one could generalize the filtering of virus
infected messages and let the sender know by an automated process
that she or he is spreading virusses.
Other than the HYBRIS virus, the Sircam comes with a sender's
address, so it is easier to let the infected people know about their
infection and stop the spread of the virus.
Yours,
Lüko Willms
Frankfurt/Main
/ Lueko.Willms@T-Online.de
- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com