#ident "@(#)util/smail:RELEASE-3_2_0_121:dead-mail.egrep,v 1.5 2004/07/24 15:50:52 woods Exp" # # The following file should list expressions that can be used to # identify bogus e-mail that cannot be expected to have a valid return # address -- e.g. spam, viruses, etc. Any frozen bounces which match # any one of these expressions will be deleted from the error queue # and undeliverable sender address will be added to the # dead-mail.senders file such that no future e-mail will be accepted # from that address since obviously that sender address is invalid. # # Expressions MUST NOT contain "'" (single close-quote) characters. # # Expressions are passed on the command-line to egreup using '-e'. # This limits the total length of all expressions to somewhat less # than the maximum allowed command line length of the host system. # # A line containing only '-i' will be passed unchanged to egrep and in # a command-line position relative to the lines it sits between and as # such can be used to turn on case-insensitivity for any patterns # which follow it. # # Lines beginning with '#' are comments. Empty lines and comments are # ignored. # # This first pattern matches the first line of any M$ Windoze ELF32 # executable as a BASE-64 encoded file: # ^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA # # This next pattern should do the same for UUENCODED executables: # ^M35[GHIJK].`..`..*```` # # The next pattern catches the first line of any BASE-64 encoded ZIP # versions of the MyDoom virus and similar, including those using # encrypted ZIPs) # # this one only lets through about 1.6% of known worms so far, but allows v2.0 ZIPs: ^UEsDBAoAA[AQ]AAA[A-Za-z0-9+/]+$ # this one blocks blocks all known worms, but also blocks many v2.0 ZIPs: #^UEsDB[AB][Qo]AA[AQ]A[AI]A[A-Za-z0-9+/]+$ # this is the old-fashioned one #^UEsDBAoAAAAAA # # -i # # Character case should be ignore for the remaining patterns. # The file was successfully deleted by RAV AntiVirus I send you this file in order to have your advice # # Even though M$ Windoze no longer uses the filename extension alone, # matching attachment names against the known executable extensions # will at least identify guaranteed unwanted content. # ^[ ]*content-(disposition|type).*name[ ]*=[ ]*"?(.*\.(386|acm|ade|adp|app|asp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|doc|dot|drv|exe|flt|fot|hlp|hta|ini|inf|ins|isp|js|jse|lnk|mdb|mde|mod|msc|msi|msp|mst|nws|obj|ocx|olb|osd|ovl|pcd|pdr|pgm|pif|pkg|pot|ppt|pps|prg|reg|rpl|rtf|scr|script|sct|sh|sha|shtml|shs|swf|sys|tlb|tsp|ttf|vb|vlm|vxd|vxo|wiz|wll|wwk|pdr|url|vb|vbe|vbs|wsc|wsf|wsh|xla|xlb|xlc|xld|xlk|xll|xlm|xls|xlt|xlv|xlw|xnk))"?[ ]*$