[Esa-l] Poisoning "from" and subject line?
Bjarni R. Einarsson
bre at klaki.net
Thu Nov 30 12:36:06 PST 2000
On 2000-11-30, 13:56:14 (-0600), Dustin Ankeny wrote:
> I've been having some difficulty with the poisoned list, with viruses like
> hybris (which does not have a standard exe/scr name, it has a list of names
> randomly picked) so therefore hard to poison... but it always appears to be
> sent from...
> From: Hahaha <hahaha at sexyfun.net>
> Or it always has a standard subject line of
> Subject: Snowhite and the Seven Dwarfs - The REAL story!
This is incorrect - I've received a copy of Hybris which had neither
characteristic. But you're right: that is *one* good way to block
*some* of the Hybris messages out there. Same goes for some spam,
and some other viruses. Having a simple way to do this has proved
very effective at slowing outbreaks like Melissa or the love bug.
> Anyway getting to my point, could there also be poisoned list for the
> subject line as well as the from field? (possibly others?) I know this is
I believe this is overkill. If you are using John's sanitizer, then
you are already using procmail, which supports things like this with
a very simple, yet powerful syntax. It doesn't make sense to
complicate the sanitizer until it reimplements procmail within
Just create a file named "viruses.rc", put it wherever you keep your
procmail rulesets, and make it contain something like this:
# Uncomment this to save viruses in a different mailbox for each user
# Uncomment this to forward viruses to an admin
#QUARANTINE=!admins at email.address
* Subject: Snowhite and the Seven Dwarfs - The REAL story!
* From:.*hahaha at sexyfun.net
Then you can include these checks in your /etc/procmailrc of
individual .procmailrc files with a line like this:
... of course, please test this before deploying it globally. I
wrote it from memory and probably made one or two mistakes.
Just my two cents, hope this helps. :-)
Bjarni R. Einarsson PGP: 02764305, B7A3AB89
bre at klaki.net -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/
More information about the esd-l