On Sun, May 19, 2002 at 11:14:18AM -0700, Bob File wrote:
<snip>
> This regexp filter (suitable for perl and procmail) has blocked 2.7GB of Klez
> mail on our server (we're a web host) since May 1st.
>
> ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi 0SODIlEjwyLRI4IiUSPCItE$
>
> Enjoy.
> >
>
> So my question is about the above regex; to my slightly trained eye the above
> filter is beginning of the line-string sequence-end of the line. IOW, a line
> just like the above with the caret on the front and the dollar sign on the
> end gone. Is this correct? And I assume that I would look for this one line
> string in the body of the message.
Yes, you are correct. The caret signifies beginning of line, and the
dollar sign signifies end of line in the perl/procmail regex world.
What's between is pretty much what you guessed-- the signature of this
virus.
Is this really the signature of the klez virus? I have no idea, but from
your research, it looks like it.
Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:01:34 EDT