1#!perl -w
2
3sub hook_data_post {
4    my ($self, $transaction) = @_;
5
6    # klez files are always sorta big .. how big?  Dunno.
7    return (DECLINED)
8      if $transaction->data_size < 60_000;
9
10    #   220k was too little, so let's just disable the "big size check"
11    #   or $transaction->data_size > 1_000_000;
12
13    # maybe it would be worthwhile to add a check for
14    # Content-Type: multipart/alternative; here?
15
16    # make sure we read from the beginning;
17    $transaction->body_resetpos;
18
19    my $line_number         = 0;
20    my $seen_klez_signature = 0;
21
22    while ($_ = $transaction->body_getline) {
23        last if $line_number++ > 40;
24
25        m/^Content-type:.*(?:audio|application)/i
26          and ++$seen_klez_signature
27          and next;
28
29        return (DENY, "Klez Virus Detected")
30          if $seen_klez_signature
31          and m!^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA!;
32
33    }
34
35    return (DECLINED);
36}
37