[Esd-l] MiMail D and E
Agostini yves
agostini at univ-metz.fr
Wed Nov 5 01:49:26 PST 2003
this trap MiMail D and E, I can't know exactly which ...
http://www.sarc.com/avcenter/venc/data/w32.mimail.e@mm.html
http://www.sarc.com/avcenter/venc/data/w32.mimail.d@mm.html
It could be fine to find a rule for all MiMail variant
# Trap MIMail DE (03/11/2003)
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
* ^From:.*john@
* ^Subject:.*be late
{
:0 B
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?readnow[0-9]*\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?readnow[0-9]*\.zip"?
{
LOG="TRAPPED: Probable MiMail worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
MiMail worm "
}
}
--
-----------------------------------------------------------------
AGOSTINI Yves CRIUM - Université de Metz
agostini at univ-metz.fr http://www.crium.univ-metz.fr
tel: 03 87 31 52 63 fax: 03 87 31 53 33
More information about the esd-l
mailing list