Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I filter on a "Content-ID" header in the body. I procmail those to a mailfile that I periodically check and clean. I've only had about ten pieces of mail end up in that box that weren't Klez since I started doing that. It appears that MH or Pine sometimes (and I don't know when) adds the Content-ID header to attachments. Every bloody Klez virus has that header, though.

    --Nat

    • Hrm. Sounds like a good thing to add to SpamAssassin's ruleset. I think I shall go do that. Thanks!
    • We'll see if it catches non-klez mail, but for now, this SpamAssassin rule:

          rawbody CONTENT_ID /^Content-ID:/is
          describe CONTENT_ID Content-id in the body usually means Klez
          score CONTENT_ID 5.6

      looks to be a winner.
  • if you used qmail and qpsmtpd [develooper.com] you could just use our klez patch [perl.org] to filter it out.
    --

    -- ask bjoern hansen [askbjoernhansen.com], !try; do();

    • Yeah, but that'd require using qmail. Alas, I have non-technical issues with it, so I don't. (Not that I'd be looking forward to getting the sendmail->qmail transition done well--I'm not a Unix sysadmin by trade)
  • This is probably our number one question about spamassassin. My response is that catching viruses is a hell of a different task to catching spam. While the engine is similar, the structure around it is different (it's kinda like the difference between a car and a boat).

    Heuristically detecting viruses is a bitch of a problem. Well not exactly a bitch, it's actually far easier than detecting spam because you can determine that something is trying to do something malicious (even in PE code) (I had a talk abou
    • I'm fine with SpamAssassin not doing virus detection. (Not that it matters, as there aren't any functional WinBoxes around the house) I was just kinda hopeful that the klez worm mail would have a distinctive enough signature that it'd be able to detect it without me actually having to do any work. :)

      Still, can't complain--it works as advertised, and rather well at that. And thanks to Nat, I managed to abuse it into doing things it didn't advertise, so I'm happy. It's on my permanent list 'o cool system uti
      • Now if we could just get these twits to stop doing this sort of nonsense in the first place....

        Hey don't say that! If it wasn't for microsoft and their great security I wouldn't have a job ;-)

        I'd give you the key to detecting all Klez variants if I knew exactly what it was myself, but I can't grok our AV guy's code. It's something to do with disassembling the PE code (Win32 binary) and detecting it based on the lack of the CompanyName header in there. Or something like that.

        Also of interest may be OpenA [openantivirus.org]
        • I'm sure you could find something useful to do with your time if you weren't writing virus filtering code. :)

          I threw a rule with a weight of 5.6 in my SpamAssassin config files for messages with a Content-ID: header in the body. Rumor has it that it's not a 100% guarantee, but it's working as a filter trigger for me.