[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm

John D. Hardin jhardin at impsec.org
Thu Jun 26 15:04:48 PDT 2003


On Thu, 26 Jun 2003, Smart,Dan wrote:

> Can I do the same with the sendmail test, remove hfi from the first
> condition, and put it before the formail commands...
> 
> :0 
> *
> ^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notificatio
> n|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
> {
>   LOG="TRAPPED: Probable sendmail header exploit"
>   :0 hfi
>   | formail -A "X-Content-Security: [$HOST] NOTIFY" \
>             -A "X-Content-Security: [$HOST] QUARANTINE" \
>             -A "X-Content-Security: [$HOST] REPORT: Trapped possible
> sendmail header exploit"
> }

That should work.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.
                                            -- James Madison, 1799
-----------------------------------------------------------------------
   495 days until the Presidential Election



More information about the esd-l mailing list