[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Re: GENERAL: Viruses, regex'es and procmail
- Subject: [cobalt-users] Re: GENERAL: Viruses, regex'es and procmail
- From: Jan van Stekelenburg <janvs@xxxxxxxxxxx>
- Date: Sun Aug 5 15:52:03 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> From: "Per M Knutsen" <per.knutsen@xxxxxxxxxxxxxx>
> To: "cobalt-users" <cobalt-users@xxxxxxxxxxxxxxx>
> Date: Mon, 6 Aug 2001 03:26:20 +0300
> Subject: [cobalt-users] GENERAL: Viruses, regex'es and procmail
> Reply-To: cobalt-users@xxxxxxxxxxxxxxx
>
> With all the recent talk about procmail and the SirCam virus (which I have
> still to see with my own eyes), I was wondering if anyone knows of an
> updated source or mailing list (aka bugtraq) that keeps people updated with
> virulent strains?
>
> Also, are there repositories somewhere that are updated and where one can
> fetch regular expressions to use with procmail?
>
>
> Per M Knutsen
> http://nethut.no/~pknutsen
>
Dear Per,
The SirCam worm is quite indeed an irritating thing to have.
Fortunately we've stopped already around 820 of them which
resulted in 260 Meg's of useles mailtraffic.
We used Procmail to do this with the following contents:
:0
* 1^0 ^Content-Type:/*(multipart|attachment)
* 1^0 B ?? Hi\! How are you(\?|=3F)
* 1^0 B ?? I send you this file in order to have your advice
* 1^0 B ?? See you later (\.|=2E) Thanks
* 1^0 B ?? Hola como estas *\?
* 1^0 B ?? Te mando este archivo para que me des tu punto de vista
* 1^0 B ?? Nos vemos pronto, gracias\.
* 1^0 B ?? I hope you like the file that I send( t)?o you
* 1^0 B ?? This is the file with the information that you ask for
{
:0hc
* !^FROM_DAEMON
* !^X-Loop: devnull@xxxxxx
| (formail -r -I'From: "BitBucket" <devnull@xxxxxx>' -I'Precedence: junk' -I'Subject: Your machine is infected with the SirCam worm' -A'X-Loop: devnull@xxxxxx' ; cat /home/janvs/.vbsblock/sircam.txt ;) | /usr/sbin/sendmail -t
:0
$MAILDIR/infected.mbx
}
Which works really well for my company and me :-)
It also sends a warning back to the sender as you can see.
Hope this helps.
To your question if there are repositories to find the procmail code
to stop all kinds of virii, I must say that I haven't found anything
so far.
However a search on the procmail mailing list helps you out most
of the time (http://www.xray.mpe.de/mailing-lists/procmail/) if
you're looking for procmail-code to block virii.
Good luck!
Best regards, Jan.