[Esd-l] anti-NovArg rules

Dan Riley dsr at mail.lns.cornell.edu
Sat Feb 7 13:34:39 PST 2004

"John D. Hardin" <jhardin at impsec.org> writes:
> (particularly anybody being hammered by NovArg)

Which reminds me--it was noted on nanog that NovArg has X-Priority and
X-MSMail-Priority headers but not X-Mailer or X-MimeOLE, and just
about the only other mail to share that property is spam.  This seems
to work pretty well, and no false positives here so far:

# from an observation by Todd Vierling on nanog
* > 10000
* < 50000
* ^X-Priority:
* ^X-MSMail-Priority:
* ^Content-Type:.*multipart/mixed;
* !^X-Mailer:
* !^X-MimeOLE:
    :0 B hfi
    * ^Content-Disposition: attachment;
    * ^Content-Transfer-Encoding: base64
    | formail -A "X-Content-Security: [${HOST}] QUARANTINE" \
              -A "X-Content-Security: [${HOST}] REPORT: possible Novarg worm"


More information about the esd-l mailing list