[Esd-l] Proposed MiMail local-rules rule
John D. Hardin
jhardin at impsec.org
Sat Aug 2 10:36:00 PDT 2003
I haven't actually seen one of these messages, so this is from the AV
descriptions and may miss something.
Comments solicited.
# Trap MiMail (08/01/2003)
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
* ^From:.*admin@
* ^Subject:.*your account
{
:0 B hfi
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?message\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?message\.zip"?
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped MiMail worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html"
}
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
91 days until Matrix Revolutions
More information about the esd-l
mailing list