[Esa-l] Stopping Hybris via. global /etc/procmailrc

Bjarni R. Einarsson bre at netverjar.is
Mon Jan 8 04:42:21 PST 2001


Hi,

I've been getting huge amounts of Hybris via. mail lately, and alot of
it is (as previously discussed here) sent with comletely random file
names and few recognizable headers.  I've been collecting my
specimens, and have found the following trends:

   - Hybris always prefixes it's MIME boundaries with "VE".
   - The anonymous messages don't have subject lines.
   - The first lines of the Base64-encoded attachment are always the same.

So I created a procmail ruleset which checks for these tell-tales,
checks the message size and some other headers.  It's a pretty tight
match, and I doubt it will discard anything that isn't really Hybris.

I'd recommend using a variation of this rule before passing the message
on to my or John's sanitizers.

As usual: deploy with care, and don't blame me if it eats your mail.
Hope it helps. :)


My /etc/procmailrc contains:

# Global procmail ruleset to block spam and other icky stuff.
# Icky stuff is dumped in /tmp/spam.USERNAME
#

DROPPRIVS=yes

##############################################################################

# Detect Hybris when sent from hahaha at sexyfun.net
#
:0
* ^From:.*hahaha at sexyfun.net
/tmp/spam.$LOGNAME

# Detect Hybris when sent as an anonymous message.
#
:0 i
* > 32000
* < 33000
* !^Subject:
* ^Content-Type: multipart/mixed; boundary="--VE
{
	:0 B
	* ^Content-Type: text/plain; charset="us-ascii"
	* ^Content-Disposition:.*\.EXE
	* ^Content-Type:.*\.EXE
	* ^TVqQAAMAAAAEAAAA
	* ^SiXLG3Lv\+wdKT1hwcrOTfD7rduGAY5LvseJ7
	* ^D4TKBAAAUFVQ/1QkSAEs
	/tmp/spam.$LOGNAME
}


-- 
Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at netverjar.is              -><-             http://bre.klaki.net/

Netverjar gegn ruslpósti: http://www.netverjar.is/baratta/ruslpostur/



More information about the esd-l mailing list