[pmmail-list] Complex filter for virus update
Kris Sorem Sr
pmmail-list@blueprintsoftwareworks.com
Tue, 31 Jul 2001 01:36:51 -0700 (PDT)
On Sun, 29 Jul 2001 23:38:52 -0400 (EDT), Ralph Cohen wrote:
>I'm curious about what didn't work for you with Kris's filter. Are you
>finding variations in the other lines of text which cause the pattern
>match to fail?
My suggested filter should only fail a pattern match if there is no
attachment or the message body /does not/ have _both_ lines reported by
McAfee as being present in _every_ message. This revised filter may
work better.
-- begin filter --
a="YES" & !(m.size<"137216") &
(b="Hi! How are you?" | b="See you later. Thanks" |
b="Hola como estas?" | b="Nos vemos pronto, gracias")
-- end filter --
This filter will check for an attachment. If present, it will check for
message size greater than or equal to 134k (the footprint of the SirCam
worm). If greater than 134k, the presence of one or more static lines
in the message body. The filtered message can then be checked for an
attachment with a double extension.
--
JMO,
/s/~Kris
-------------------------------+------------------------------------------
- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com