diff --git a/plugins/klez_filter b/plugins/klez_filter
new file mode 100644
index 0000000..2a1afe9
--- /dev/null
+++ b/plugins/klez_filter
@@ -0,0 +1,38 @@
+sub register {
+  my ($self, $qp) = @_;
+  $self->register_hook("data_post", "check_klez");
+}
+
+sub check_klez {
+  my ($self, $transaction) = @_;
+
+  # klez files are always around 140K, no?
+  return (DECLINED)
+    if $transaction->body_size < 60_000
+      or $transaction->body_size > 220_000;
+
+  # maybe it would be worthwhile to add a check for
+  # Content-Type: multipart/alternative; here?
+
+  # make sure we read from the beginning;
+  $transaction->body_resetpos;
+  
+  my $line_number = 0; 
+  my $seen_klez_signature = 0;
+
+  while ($_ = $transaction->body_getline) {
+    $line_number++; 
+    warn "$_";
+    m/^Content-type:.*(?:audio|application)/i
+      and ++$seen_klez_signature and next;
+
+    return (DENY, "Klez Virus Detected")
+      if $seen_klez_signature 
+	and m!^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA!;
+
+    last if $line_number > 40;
+  }
+
+  warn "DECLINED is ", DECLINED;
+  return (DECLINED);
+}