[Esd-l] X-Unsent: header as way of recognizing mass mailing worms

Howard Lowndes lannet at lannet.com.au
Thu Nov 29 07:39:01 PST 2001


John, are all these tweaks going onto the web site as they are
created/modified?  I'm kinda losing track of where IMPSEC is up to and am
thinking I should do a full pull down again.

Perhaps a change datestamp as well as / instead of a version number might
help.

On Thu, 29 Nov 2001, John D. Hardin wrote:

> On Wed, 28 Nov 2001, Brett Glass wrote:
>
> > I've recently noticed that only transmissions by worms (Badtrans.B
> > and Nimda.E) seem to contain an X-Unsent: header. Because it's
> > characteristic of several worms, it may be that worm writers are
> > re-using code that inserts it. It might be useful to have a local
> > recipe that checks for this header and quarantines.
>
> Okay:
>
>
> #
> :0
> * ^MIME-Version:
> * ^Content-Type:.*multipart/
> * ^X-MSMail
> * ^X-Unsent:
> | formail -A "X-Content-Security: [$HOST] NOTIFY" \
>           -A "X-Content-Security: [$HOST] QUARANTINE" \
>           -A "X-Content-Security: [$HOST] REPORT: Trapped mail with
> suspicious X-Unsent: header"
>
>
> I added the MSMail header to try to limit the scope of this a bit, as
> the Unsent header may be used legitimately by non-MS mailers.
>
> Again, if you're not using the Sanitizer, substitute your own
> quarantine action code in place of the formail call.
>
> --
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                       pgpk -a jhardin at wolfenet.com
>   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
>  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   In 1998 more than three times as many people in the US were killed
>   by incompetent physicians than were killed by handguns, yet the
>   President of the A.M.A. is adopting "gun safety" as his platform.
> -----------------------------------------------------------------------
>    1069 days until the Presidential Election
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>

-- 
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
 "We are either doing something, or we are not.
 'Talking about' is a subset of 'not'."



More information about the esd-l mailing list