"Greetings"

[Julian Field]

For those of you running version 3, take a look in sweep.pl. You should
find a little chunk of code that looks like this:

       # X-Spanska: header ==> "Happy" virus
       if (grep /^X-Spanska:/i, @headers) {
         MailScanner::Log::InfoLog("Other Checks: Found Happy virus in %s",
$id);
         $message->{otherreports}{""} .= "\"Happy\" virus\n";
         $message->{othertypes}{""}   .= "v";
         $counter++;
         $message->{otherinfected}++;
       }

If you change that to

       # X-Spanska: header ==> "Happy" virus
       if (grep /^Subject:.*you have an E-Card from/i, @headers) {
         MailScanner::Log::InfoLog("Other Checks: Found Friendly Greetings
E-Card in %s", $id);
         $message->{otherreports}{""} .= "\"Friendly Greetings\" E-Card\n";
         $message->{othertypes}{""}   .= "v";
         $counter++;
         $message->{otherinfected}++;
       }

then those messages (or anything else with a subject line containing "you
have an E-Card from") will have their contents removed.

Version 4 users need to give me a couple of hours so I can write some nice
fancy arbitrary-header-content-filtering system.

At 15:03 25/10/2002, you wrote:
>Hello,
>
>Checkout http://www.sophos.com/virusinfo/articles/greetings.html
>
>Not a virus, not spam - still a huge risk.
>
>Could someone assist me with writing a rule that triggers on "You can pick
>up your E-Card at the FriendGreetings.com" or similar
>
>regards, Tony
>
>ps: I'm using mailscanner 3.24-1 with spamassassin 2.43

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ