[Esd-l] Anyone got a procmail signature for Klez?

Bart Schaefer schaefer at zanshin.com
Sat Apr 27 19:42:01 PDT 2002

I posted one a few days ago.  Here it is again as I'm using it now; so far 
it has 100% accuracy on copies we've received at zanshin, and hasn't had
any false positives.  I've deliberately removed the delivery part of the
recipe, as it's highly specific to our site.

* ^Content-Type:.*(multipart|attachment)
 * > 50000
 * ^Content-Type:[ 	]*(audio/x-|application)
 * 1^0 ()<i?frame[ 	]*src=(3d)?cid:
 * 1^0 ^--[^ ]+$$Content-
 * 1^0 ^--[^ ]+$--[^ ]+$


This takes advantage of poor MIME formatting in the Klez messages.  The
last scoring condition there could conceivably give a false positive on a
legitmately empty body part, but combined with the (audio/x-|application)
condition the chances of a hit are pretty small.

More information about the esd-l mailing list