Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • by gnat (29) on 2002.05.09 13:24 (#8205) Journal
    I filter on a "Content-ID" header in the body. I procmail those to a mailfile that I periodically check and clean. I've only had about ten pieces of mail end up in that box that weren't Klez since I started doing that. It appears that MH or Pine sometimes (and I don't know when) adds the Content-ID header to attachments. Every bloody Klez virus has that header, though.


    • Hrm. Sounds like a good thing to add to SpamAssassin's ruleset. I think I shall go do that. Thanks!
    • We'll see if it catches non-klez mail, but for now, this SpamAssassin rule:

          rawbody CONTENT_ID /^Content-ID:/is
          describe CONTENT_ID Content-id in the body usually means Klez
          score CONTENT_ID 5.6

      looks to be a winner.