[pmmail-list] newlines in filters? -- Sircam virus/worm

Lueko Willms pmmail-list@blueprintsoftwareworks.com
Sat, 28 Jul 2001 22:07:20 +0200 (MES)


On Sat, 28 Jul 2001 15:51:23 -0400 (EDT), Ralph Cohen wrote:
 
  answering to: 
 
> >I have been getting hammered with the SirCam worm 

> I created a simple filter that
> 
> 1) Searches the body of an email for:
> Te mando este archivo para que me des tu punto de vista
> 
> -OR-
> 
> 2) Searches the body of an email for:
> I send you this file in order to have your advice

  This is not safe enough. Consider the following from the
explanation on the virus-worm by Netscapes Antivirus center: 

----- cut on --------------
Message: The message body will be semi-random, but will always
contain one of the following two lines (either English or Spanish) as
the first and last sentences of the message.

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.

English Version:
First line: Hi! How are you?
Last line: See you later. Thanks



Last line: See you later. Thanks

Between these two sentences, some of the following text may appear:

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste

English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
----------- cut off ----------------

  So, the filter should look for the opening and closing lines in
either Spanish or in English.  

  I think, a formulation like this would be right: 

 (b = "Hola como estas ?" & b = "Nos vemos pronto, gracias.")
  |  (b= "Hi! How are you?" & "See you later. Thanks") 

 
Good luck! 
Lüko Willms 
Frankfurt/Main 
/ Lueko.Willms@T-Online.de 

- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com