[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] MyDoom for Windows is being used to attack UINUX Website
- Subject: Re: [cobalt-users] MyDoom for Windows is being used to attack UINUX Website
- From: Jay Summers <jay@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sun Feb 1 14:09:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
on 2/1/04 1:31 PM, Jeff Lasman wrote:
>> It is programmed to launch a worldwide attack on the Web
>> site of SCO, one of the largest unix vendors in the world..
>
> I still haven't figured out how to block them at "rcpt to" time, but I
> have some filters locally that you and others could implement in
> procmail to keep these from getting to your users:
>
> 1) Filter on subject of "Hi" and attachment of zip file
> 2) Filter on subject of "Re: Hi" and attachment of zip file
> 3) Filter on sender of "MAILER-DAEMON" and attachment of zip file
> 4) Filter on sender of "Mailer-Daemon" and attachment of zip file
> 5) Filter on subject contains "Virus Alert - ScanMail" and attachment of
> zip file
> 6) Filter on subject contains "Several matches found in Domino
> Directory" and attachment of zip file.
>
> I'm sure we'll get a few more signatures to look for as time goes on.
I'm using Dallman Ross's virus snagger with procmail and it's grabbing all
of them except a few bounce back's from other mailservers.
http://www.ii.com/internet/robots/procmail/qs/#viruses
And here's a relevant thread from the procmail mailing list.
http://marc.theaimsgroup.com/?l=procmail&w=2&r=2&s=mydoom&q=b
HTH,
Jay