Re: [vox-tech] Virus deluge
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] Virus deluge
on Tue, Jan 27, 2004 at 10:39:17PM -0800, Mark K. Kim (markslist@cbreak.org) wrote:
> On Tue, 27 Jan 2004, Karsten M. Self wrote:
>
> > > ================================================================================
> > > :0 B
> > > * -1
> > > * 1^0 ^Content-Transfer-Encoding: base64
> > > * 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
> > > * 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
> > > * 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
> > > * 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
> > > * 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
> > > * 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
> > > {
> > > LOG="LOG: Virus: (Mydoom / Novar)"
> > >
> > > :0:
> > > Virus/
> > > }
> > > ================================================================================
>
> I'm new to procmail so can I ask some questions?
>
> What do ":0 B", "-1", and "1^0" do? Does LOG do anything?
Peter got most of this.
:<number> starts a recipie. Used to be that <number> was (IIRC) the
number of lines in the recipie. Now it's typically set to 0, and has no
special significance.
'B' scans body
: *after* '0' indicates a lockfile. Any rule that writes to a file
_should_ use a lockfile. Rules which invoke a program '| command'
or delivery '! address' _don't_ need a lockfile.
For more information: man procmail; man procmailrc; man procmailex
* <number>
* <number>^<number>
...are scoring rules. The first number says what to add. The
second says when to add it, and by how much. I understand this only
vaguely.
Essentially:
- No trailing value means "apply this score once in the evaluation of
this recipie".
- A trailing '0' means "apply this score once and only once if it is
matched"
- A trialing '1' means "add the score for *each* occurance of a match.
- 0 <x<1 : Each successive match contributes less than the prior one.
The score asymptotically approaches a value.
- 1 < x : Each successive match contributes more than the prior one.
The score grows asymptotically.
For more information: man procmailsc
The rule says, in English:
- Start a recipie. Scan the body.
- Use scoring. Set a default score of '-1' (require two matches for
the rule to take effect)
- Add one for a base64 MIME encoding demarcation.
- Add one for any of the following legacy MS Windows executable
signatures.
- The condition in braces is met if two rules matched.
- (If logging) log that this was a MyDoom virus match.
- Write to the Virus folder, a Maildir directory (the trailing '/'
indicates).
> Thanks! The rules seem to be working so far...
NP.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Sick of mal-formed websites? A stylesheet to override poor design:
http://twiki.iwethey.org/Main/UserContentCSS
Attachment:
signature.asc
Description: Digital signature
|
