[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm

Subject: Re: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm
From: "Edward Bishop" <eddie@xxxxxxxxxxxxxxxx>
Date: Fri Aug 3 18:56:06 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

From: Michael <mike@xxxxxxxxxx>

Here is a copy of my procmailrc it is chmod 700
> PATH=/bin:/usr/bin:/usr/bin
> MAILDIR=$HOME/mail
> #DEFAULT=$MAILDIR/mbox
> LOGFILE=/var/log/procmaillog
> LOGABSTRACT=ALL
> VERBOSE=ON
> :0:sircam.lock
> * B ?? Hi\! How are you(\?|=3F)
> * 1^0 B ?? I send you this file in order to have your advice
> * 1^0 B ?? I hope you like the file that I send( t)?o you
> * 1^0 B ?? This is the file with the information that you ask for
> * B ?? See you later(\.|=2E) Thanks
> /dev/null
> #That could also be /dev/null instead
>
> This is the results in the log after I sent myself a sircam as a test:
>
> procmail: No match on "Hi\! How are you(\?|=3F)"
> procmail: [29601] Fri Aug  3 13:35:16 2001
> procmail: Match on "Hi\! How are you(\?|=3F)"
> procmail: Score:       1       1 "I send you this file in order to have
your advice"
> procmail: Score:       0       1 "I hope you like the file that I
end( t)?o you"
> procmail: Score:       0       1 "This is the file with the information
that you ask for"
> procmail: Match on "See you later(\.|=2E) Thanks"
> procmail: Locking "sircam.lock"
> procmail: Assigning "LASTFOLDER=/dev/null"
> procmail: Opening "/dev/null"
> procmail: Unlocking "sircam.lock"
>  From michael@xxxxxxxxxxxxxxxxxxxx  Fri Aug  3 13:35:16 2001
>  Subject: 11january
>   Folder: /dev/null
2057
> procmail: Notified comsat: "mthiessen@0:/dev/null"
>
> Is this correct? Is it smacking all my sircams?
>

Yes, that's working. We took the conversation offlist because it was getting
a bit complicated and Colin J Raven has been providing his excellent
assistance to me there. Here is his final explanation of how it works and
further advice:

"OK a few points you need to know:
1. procmail: Score:       1       1 "I send you this file in order to have
your advice"
Bingo! It natched with a perfect score (of 1 meaning bullseye)
2. procmail: Match on "See you later(\.|=2E) Thanks"
Bingo! It matched with a perfect score (of 1 meaning bullseye)
3.  procmail: Locking "/home/tmp/sircam.lock"
    procmail: Assigning "LASTFOLDER=/home/tmp/sircam/msg.CATC"
    procmail: Opening "/home/tmp/sircam/msg.CATC"
    procmail: Acquiring kernel-lock
    procmail: Unlocking "/home/tmp/sircam.lock"
Bingo! It locked the directory, stuffed the bad shit in there, unlocked its
file lock and exited to possibly do other things.

You're there dude.

Watch /home/log/procmaillog
Read your /etc/procmailrc I put some other stuff in there to keep you safe
(see below)
turn off verbose (VERBOSE=OFF) after a day or two and rm your logfile, then:
touch /home/log/procmaillog
chmod 0700 /home/log/procmaillog
every week or so (after reading it) OR put that operation on a cron job"

After Colin's intervention my /etc/procmailrc is as follows:

SHELL=/bin/sh
LOGFILE=/home/log/procmaillog
#changed to /home/log/procmaillog to avoid filling up /var partition
LOGABSTRACT=ALL
VERBOSE=ON
#################################################################
#This stops a bunch of bad news attachements from coming through
#attachments are defined in the "filename" variable
#how to deal with them is laboriously described below

:0
*^Content-type: (multipart/mixed|application/octet-stream)
{
    :0 HB
    *^Content-Disposition: (attachment|inline);
    *filename=".*\.(vbs|wsf|eml|shs|exe|nws|chm|pif|vbe|hta|scr)"
    {
       SHELL=/bin/bash
       :0 fhbw
       |/bin/sed -e \
's/\([nN][aA][mM][eE]=".*\.[vV][bB][sS]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[wW][sS][fF]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mN][eE]=".*\.[eE][mM][lL]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mN][eE]=".*\.[nN][wW][sS]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[sS][hH][sS]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[eE][xX][eE]\)"/\1.not"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[cC][hH][mM]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[pP][iI][fF]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[hH][tT][aA]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[vV][bB][eE]\)"/\1.txt"/' \
                     -e \
's/\([nN][aA][mM][eE]=".*\.[sS][cC][rR]\)"/\1.txt"/' \
                     -e \
       {
        :0:
        /home/tmp/crap
         }
        }

###############################################################
#This section deals only with SirCam
:0:
* ! ^X-BeenThere: procmail@xxxxxxxxxxxxxxxxxxxx
* 1^0 B ?? I send you this file in order to have your advice
* 1^0 B ?? I hope you like the file that I send( t)?o you
* 1^0 B ?? This is the file with the information that you ask for
* B ?? See you later(\.|=2E) Thanks
/home/tmp/sircam

#That could also be /dev/null instead of /home/tmp/sircam

##############################################################
#This deals with a troubling virus (mainly harmless)
#That causes wierdness with users M$ PC's

:0
* ^From: .*\<hahaha@sexyfun\.net\>
/dev/null

###############################################################
#This deals with something that changes file structures on
#user's PC's. Not much else but it's still malicious code
#and therefore should be prevented

:0
* ^Subject: Young Naked Wife!
/dev/null
################################################################

#Not much to report but I get hits on evil shit using this recipe
#occasionally.

:0
* ^X-MS-TNEF-Correlator:
* ^Subject:.*homepage
/dev/null

#################################################################

In another thread about spam and viruses people have been saying procmail
isn't the best way to achieve this because of the chance of false positives
and because no warning is issued that a message has been dumped. One
(manual) workaround for this may be to have the dumped messages sent to
/home/tmp/sircam rather than straight to /dev/null. They arrive in there
with filenames of the form msg.[X]ATC where [X] is an incrementing letter (I
don't know what happens when it gets to Z but at the rate my users are
receiving sircams I'll probably find out soon) and can be read using mail -f
messagename, and forwarded if found to be OK.

HTH you Michael - please thank Colin if it does.

Eddie

Follow-Ups:
- RE: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm
  - From: Dan Kriwitsky
- Re: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm
  - From: Michael

References:
- Re: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm
  - From: Edward Bishop
- RE: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm
  - From: Michael

Prev by Date: Re: [cobalt-users] complete server stats
Next by Date: Re: [cobalt-users] How many people here would be interested in a cobalt newsgroup on usenet?
Previous by thread: RE: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm
Next by thread: RE: [cobalt-users] Bouncing Email's with Attachements W32.Sircam.Worm@mm

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index