aaz (was Re: [Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm)

Scott Taylor scott at dctchambers.com
Thu Jun 26 08:02:46 PDT 2003 

Why do you keep reposting this message only steeling other peoples 
subjects?  I'm pretty sure OutHouse Expunger gives the user the ability to 
enter the their own subject.

Why am I top posting?  Because you leave me little choice.  You also give 
us no hints on the contents of your procmailrc file other than one little 
rule, and how did you set up SpamAssassin?  etc...

1.) Start your own thread
2.) Give us some background on your setup
   i) procmailrc (fully)
  ii) Mail Server (name and version, ie: Sendmail V8.8.8)
iii) other software you are using including versions and setup
  iv) any thing else that might be relevant, like the line in your 
sendmail.cf file that calls procmail or spamassassin or whatever else you 
may be running.
3.) Don't top post, like I just did, and clean up irrelevant text.
4.) Receive a sane answer

At 07:40 06/26/03, aaz wrote:
>Hi,
>We are using the sanitizer and spamassassin on our system.
>
>In our /etc/procmailrc file we have the sanitizer calls and INCLUDERC's
>first and then at the end of the file we have
>
>:0fw
>* < 256000
>| spamc
>
>The effect we want is to have the sanitizer do its thing before the
>spamassassin gets it. However just the oppossite is happenning. Spamassassin
>is running before the sanitizer. How to correct this?
>
>
>----- Original Message -----
>From: "John D. Hardin" <jhardin at impsec.org>
>To: "Pierre Etchemaite" <petchema at concept-micro.com>
>Cc: <esd-l at spconnect.com>
>Sent: Thursday, June 26, 2003 7:23 AM
>Subject: Re: [Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm
>
>
> > On Thu, 26 Jun 2003, Pierre Etchemaite wrote:
> >
> > > Some rules quarantine, others discard; Somes rules notify, that one
> > > doesn't...
> > > Is there a logic behind those differences, or only historical reasons ?
> > >
> > > Just wondering...
> >
> > Some of it does have a reason, some is sloppiness. :)
> >
> > Where the identification is reliable, the default is to discard. Where
> > it's iffy (like with SoBig) you should quarantine.
> >
> > The "NONOTIFY" was my failure to clean up a cut-and-paste from my
> > local rulesets: I'm discarding notifications on known attacks. I have
> > changed SoBig to NOTIFY in the sample ruleset file - thanks for
> > mentioning this.
> >
> > --
> >  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
> >  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
> >  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> > -----------------------------------------------------------------------
> >   The fetters imposed on liberty at home have ever been forged out
> >   of the weapons provided for defense against real, pretended, or
> >   imaginary dangers from abroad.
> >                                             -- James Madison, 1799
> > -----------------------------------------------------------------------
> >    495 days until the Presidential Election
> >
> > _______________________________________________
> > Esd-l mailing list
> > Esd-l at spconnect.com
> > http://www.spconnect.com/mailman/listinfo/esd-l
> >
>
>
>_______________________________________________
>Esd-l mailing list
>Esd-l at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list