1#!perl -w 2 3sub hook_data_post { 4 my ($self, $transaction) = @_; 5 6 # klez files are always sorta big .. how big? Dunno. 7 return (DECLINED) 8 if $transaction->data_size < 60_000; 9 10 # 220k was too little, so let's just disable the "big size check" 11 # or $transaction->data_size > 1_000_000; 12 13 # maybe it would be worthwhile to add a check for 14 # Content-Type: multipart/alternative; here? 15 16 # make sure we read from the beginning; 17 $transaction->body_resetpos; 18 19 my $line_number = 0; 20 my $seen_klez_signature = 0; 21 22 while ($_ = $transaction->body_getline) { 23 last if $line_number++ > 40; 24 25 m/^Content-type:.*(?:audio|application)/i 26 and ++$seen_klez_signature 27 and next; 28 29 return (DENY, "Klez Virus Detected") 30 if $seen_klez_signature 31 and m!^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA!; 32 33 } 34 35 return (DECLINED); 36} 37