# Recommended local sanitizer rules # $Id: local-rules.procmail,v 1.13 2004-02-16 18:51:59-08 jhardin Exp jhardin $ # Detect Hybris when sent as an anonymous message. # :0 * > 20000 * !^Subject: * !^To: * ^Content-Type:.*multipart/mixed; { :0 B hfi * 1^1 ^Content-Disposition:.*\.EXE * 1^1 ^Content-Type:.*\.EXE | formail -A "X-Content-Security: [${HOST}] NOTIFY" \ -A "X-Content-Security: [${HOST}] QUARANTINE" \ -A "X-Content-Security: [${HOST}] REPORT: Trapped anonymous executable" } # Trap SirCam (signature as of 08/01/2001) # :0 * > 130000 * ^Content-Type:.*multipart/mixed; { :0 B hfi * ^Content-Disposition: attachment; * ^Content-Transfer-Encoding: base64 * AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped SirCam worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" } # Trap BadTrans (signature as of 11/26/2001) # :0 * > 40000 * < 50000 * ^Subject: Re: * ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_====" { :0 B hfi * ^Content-Type: audio/x-wav; * ^Content-ID: * ^Content-Transfer-Encoding: base64 | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html" } # Trap Klez (signature as of 04/26/2002) # Trap BugBear (signature as of 10/06/2002) # :0 * > 50000 * ^Content-Type:.*multipart/alternative; { :0 B * \ * ^Content-Type:.*audio/ * ^Content-ID:.*< * ^Content-Transfer-Encoding: base64 * ^TVqQAAMAAAAEAAAA { :0 hfi * > 100000 | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html" :0 E hfi * > 50000 | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped possible BugBear worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html" } :0 B E hfi * H ?? ^Subject: A( (special|very))?[ ][ ][a-z] * ^Content-Type:.*application/octet-stream * ^Content-ID: * ^Content-Transfer-Encoding: base64 * ^TVqQAAMAAAAEAAAA | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html" } # Attempt to trap sendmail header exploit (signature as of 03/05/3003) # # CRITICAL NOTE: this WILL NOT protect the system it is installed on. # It is intended to prevent a patched Sendmail from relaying an attack # message onwards. # :0 hfi * ^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notification|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*\(.*\) | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] QUARANTINE" \ -A "X-Content-Security: [$HOST] REPORT: Trapped possible sendmail header exploit" # Trap SoBig (signature as of 06/26/2003) # :0 * > 100000 * < 120000 * ^Content-Type:.*multipart/mixed; { :0 B hfi * ^Please see the attached zip file for details\. * ^Content-Disposition: attachment; * ^Content-Transfer-Encoding: base64 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"? * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"? | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] QUARANTINE" \ -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html" } # Trap SoBig.F direct message (signature as of 08/21/2003) # Thanks to Sergio Cesar for refinements # :0 * > 98000 * < 107000 * ^Content-Type:.*multipart/mixed; * ^X-MailScanner: Found to be clean { :0 B * ^(Please )?see the attached (zip )?file for details\.? * ^Content-Disposition: attachment; * ^Content-Transfer-Encoding: base64 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"? * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"? { # don't bother the sender, it's forged SECURITY_NOTIFY_SENDER= :0 hfi | formail -A "X-Content-Security: [$HOST] NONOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig.F worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html" } } # Trap SoBig.F bounce message (signature as of 08/21/2003) # Thanks to Sergio Cesar for refinements # :0 * > 98000 * < 107000 * ^FROM_DAEMON * B ?? ^Content-Type:.*multipart/mixed; * B ?? ^X-MailScanner: Found to be clean { :0 B * ^(Please )?see the attached (zip )?file for details\.? * ^Content-Disposition: attachment; * ^Content-Transfer-Encoding: base64 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"? * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"? { # don't bother the sender, it's a bounce SECURITY_NOTIFY_SENDER= :0 hfi | formail -A "X-Content-Security: [$HOST] NONOTIFY" \ -A "X-Content-Security: [$HOST] QUARANTINE" \ -A "X-Content-Security: [$HOST] REPORT: Trapped bounced SoBig.F worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html" } } # Trap MiMail (08/01/2003) # :0 * > 10000 * < 50000 * ^Content-Type:.*multipart/mixed; * ^From:.*admin@ * ^Subject:.*your account { :0 B hfi * ^Content-Disposition: attachment; * ^Content-Transfer-Encoding: base64 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?message\.zip"? * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?message\.zip"? | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] QUARANTINE" \ -A "X-Content-Security: [$HOST] REPORT: Trapped MiMail worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html" } # SWEN (09/28/2003) # originally by Sergey Latkin :0 D * > 130000 * < 170000 * ^(FROM:|From:.*(MS|Microsoft|[Ss]torage|MAILER-DAEMON@|[Aa]dmin|[Dd]aemon|[Tt]echnical|[Pp]ostmaster)) * ^(TO:|To:.*(" "|[Cc]lient|[Cc]ustomer|[Cc]onsumer|[Pp]artner|[Rr]ecipient|[Rr]eceiver|[Uu]ser)) * ^(SUBJECT:|Subject:.*([Uu]pdate|[Uu]pgrade|[Pp]atch|[Bb]ug|[Ee]rror|[Cc]ritical|[Ss]ecurity)) { :0 B hfi * ^Content-ID:.*<.*> * ^Content-Transfer-Encoding:.*base64 * ^Content-Type:.*audio/x-(wav|midi).*name *=.*\.(com|exe|bat|scr|pif) | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped swen variant worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html" :0 E B hfi * ^Content-Type:.*text/html * ^Content-Transfer-Encoding:.*(quoted-printable|7bit) * ^(Microsoft|MS) (Client|Customer|User|Consumer|Partner) * ^"September 20[0-9][0-9], Cumulative Patch" * ^Content-ID:.*<.*> * ^Content-Type:.*image/gif * ^Content-Transfer-Encoding:.*base64 * ^Content-Type:.*application/x-msdownload.*name *=.*\.exe | formail -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped swen variant worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html" } # # Trap NovArg # Signature as of 01/28/2004 # Worm is generating random filenames # :0 * > 20000 * < 60000 * ^Content-Type:.*multipart/(mixed|report); * 9876543210^1 B ?? ^Content-Type:.*text/plain;.*charset *= *"?Windows-1252"? * 9876543210^1 B ?? ^Content-Type:.*text/plain;.*$.*charset *= *"?Windows-1252"? { :0 B hfi * ^Content-Disposition: attachment; * ^Content-Transfer-Encoding: base64 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?[0-9A-Za-z]+\.zip"? * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?[0-9A-Za-z]+\.zip"? | formail -A "X-Content-Security: [$HOST] NONOTIFY" \ -A "X-Content-Security: [$HOST] DISCARD" \ -A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html" }