[Esa-l] SoBig local rule - updated

Sergey Latkin slatkin at phg.com
Tue Aug 26 08:03:12 PDT 2003


On Monday August 25 2003 20:18, John D. Hardin wrote:
>
> You'd better post the revised rule to the list.
>

Here it goes. It goes not catch DSNs from sendmail, but otherwise works fine. 
If you want to trap DSNs, too, then remove X-MailScanner condition.

### local-rules.procmail trap for SoBig.F.
# Changes:
# NOTIFY changed to NONOTIFY; Min size is 98000; 'details' added to regex

:0
* > 98000
* < 130000
* ^Content-Type:.*multipart/mixed;
* ^X-MailScanner: Found to be clean
{
        :0 B hfi
        * ^Content-Disposition: attachment;
        * ^Content-Transfer-Encoding: base64
        * 987654321^1 ^Content-(Type|Disposition):.*name *= 
*"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(pif|scr)"?
        * 987654321^1 ^Content-(Type|Disposition):.*$.*name *= 
*"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(pif|scr)"?
        | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig 
variant worm - http://securityresponse.symantec.com/"
}

### end-of-rule

On Wednesday August 20 2003 09:39, Sergey Latkin wrote:
> # Sobig.f signature
>
> :0
>
> * > 100000
> * < 130000

-- 
Sergey Latkin
Pinnacle Health Group
http://www.phg.com



More information about the esa-l mailing list