[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm

John D. Hardin jhardin at impsec.org
Thu Jun 26 06:23:26 PDT 2003

On Thu, 26 Jun 2003, Pierre Etchemaite wrote:

> Some rules quarantine, others discard; Somes rules notify, that one
> doesn't...
> Is there a logic behind those differences, or only historical reasons ?
> Just wondering...

Some of it does have a reason, some is sloppiness. :)

Where the identification is reliable, the default is to discard. Where
it's iffy (like with SoBig) you should quarantine.

The "NONOTIFY" was my failure to clean up a cut-and-paste from my
local rulesets: I'm discarding notifications on known attacks. I have
changed SoBig to NOTIFY in the sample ruleset file - thanks for
mentioning this.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.
                                            -- James Madison, 1799
   495 days until the Presidential Election

More information about the esd-l mailing list