On Sun, May 19, 2002 at 11:14:18AM -0700, Bob File wrote:
> This regexp filter (suitable for perl and procmail) has blocked 2.7GB of Klez
> mail on our server (we're a web host) since May 1st.
>
> ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi 0SODIlEjwyLRI4IiUSPCItE$
>
BTW, thanks for posting this. My wife and I have been getting a lot of
email with large mime-encoded attachments. She runs Windows, but not
Outlook or like products, so she's had no "infections" from this. I run
Linux, so naturally I don't get infected either. However, it was a
puzzle what all this was. I just saved them off and wrote various
messages to abuse@<whateverISP>.
Anyway, since I saved all these to a central folder, I used a regex
search based on the signature above to scan through that folder. Sure
enough, almost every email in it had this signature. So now I know these
have been klez virus emails. And I've put this little regex in my
procmailrc. Hopefully it will shunt all such future emails into their
own folder.
My wife? Well, she's stuck, since Netscape has only the most rudimentary
filtering capabilities. But at least we know what it is now.
Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:01:27 EDT