[Esd-l] anti-NovArg rules
Dan Riley
dsr at mail.lns.cornell.edu
Sat Feb 7 13:34:39 PST 2004
"John D. Hardin" <jhardin at impsec.org> writes:
> (particularly anybody being hammered by NovArg)
Which reminds me--it was noted on nanog that NovArg has X-Priority and
X-MSMail-Priority headers but not X-Mailer or X-MimeOLE, and just
about the only other mail to share that property is spam. This seems
to work pretty well, and no false positives here so far:
#
# from an observation by Todd Vierling on nanog
#
:0
* > 10000
* < 50000
* ^X-Priority:
* ^X-MSMail-Priority:
* ^Content-Type:.*multipart/mixed;
* !^X-Mailer:
* !^X-MimeOLE:
{
:0 B hfi
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
| formail -A "X-Content-Security: [${HOST}] QUARANTINE" \
-A "X-Content-Security: [${HOST}] REPORT: possible Novarg worm"
}
-dan
More information about the esd-l
mailing list