develooper Front page | perl.qpsmtpd | Postings from May 2002

Re: klez filter

From:
Ask Bjoern Hansen
Date:
May 8, 2002 15:56
Subject:
Re: klez filter
Message ID:
20020508155527.Y27376-100000@onion.valueclick.com

I have not put it in yet on my servers, but if you don't have any
post-smtpd filtering then this might be useful.

---------- Forwarded message ----------
Date: Wed, 8 May 2002 15:06:38 -0700
From: Robert Spier <robert@perl.org>
To: Ask Bjoern Hansen <ask@perl.org>
Subject: Re: klez nonsense

Ask Bjoern Hansen writes:
>
>actually, a patch to qpsmtpd would be even cooler. :^)

I think this is right.

As before, I haven't tested this.

I'm also wary of putting this stuff right into the SMTPd, but oh
well.  :)

This rule could be triggered if someone sends an email containing just
the signature, but I guess that's the risk with any rule.

-R

Index: qpsmtpd
===================================================================
RCS file: /cvs/public/qpsmtpd/qpsmtpd,v
retrieving revision 1.11
diff -u -u -r1.11 qpsmtpd
--- qpsmtpd	21 Apr 2002 03:28:20 -0000	1.11
+++ qpsmtpd	8 May 2002 22:04:56 -0000
@@ -214,6 +214,14 @@
       }


+      # Might be klez
+      m/^Content-type:.*(?:audio|application)/
+          and $matches{"klez"}=1;
+
+      # we've seen the Klez signature, we're probably infected
+      $blocked = q[Take your Klez virus and stuff it!  HAND.]
+         if $matches{"klez"} and m!^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA!;
+
       $buffer .= $_;
       $size += length $_;
     }




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About