[Esd-l] SWEN identifier: TO/FROM/SUBJECT

Andy Feldt feldt at nhn.ou.edu
Wed Sep 24 07:03:33 PDT 2003


John wrote (in response to Brett):
> Three other telltales:
> 100KB - 160KB in size (has anybody seen one outside this size range?)
> multiple image attachments
> executable attachment

Sorry to jump in so late, but I think you might consider the approach
that Nikos K. Kantarakias takes with his YAVR (Yet Another Virus Recipe).
(See http://agriroot.aua.gr/~nikant/nkvir-rc).  He has recently started
updating it again and has a Swen segment in his recipe.  He uses a
technique of scoring messages based on (random?) samplings of the
base64 strings in the message combined with procmail's weighted scoring
capability.  I believe this approach is far more reliable than those
that have been discussed here.  If you are brave, you can modify
his recipe so that, instead of filing each virus found in its own
quarantine folder, you can run it through something like:

  {
  LOG="---=== WORM-SWEN $DATE ===---${NL}"
  :0 hfi
  | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
            -A "X-Content-Security: [$HOST] DISCARD" \
            -A "X-Content-Security: [$HOST] REPORT: Trapped Swen"
  }

and then allow the sanitizer to work on it.  This way you can easily
choose the ultimate disposition of the message.  You just run his
recipe (appropriately modified) before you run the sanitizer.  I
run it at the end of my local rules.

Andy

---
Andy Feldt
Senior System Support Programmer
Affiliate Assistant Professor
Department of Physics and Astronomy
The University of Oklahoma



More information about the esd-l mailing list