[Esa-l]Sircam virus filter

David Collantes david at bus.ucf.edu
Wed Aug 1 07:40:27 PDT 2001


On 01/08/01 at 11:41am, Juan Manuel Calvo wrote:

|I have found a very simple solution to the Sircam problem. Your
|procmail sanitizer allows defang the attachment but the users
|receives the email.
|
|I have added the following lines in my /etc/procmailrc BEFORE
|the sanitizer:
|
|------------cut here-----------------------
|# This tries to match a binary string from the SirCam virus
|# in the base64 encoded MIME attachment.
|# B: search body, D case sensitive
|:0BD
|*
|AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
|/var/spool/mail/sircamvirus
|
|------------cut here-----------------------

I think that is a poor way to do things. I could easily modify SirCam and
make the rule above worthless. SirCam comes with double extensions, simply
poison those and you are set. Adding rules like the above makes the system
bloated while adding little efficiency. Just my .02 cents.

Cheers!

,--------------------------------.,---------------------------------.
| David Collantes                || UCFBusiness, UCF, Orlando, FL   |
| Senior Systems Administrator   || Telephone: (407) 823-3418       |
`--------------------------------'`---------------------------------'



More information about the esd-l mailing list