[Esd-l] local rules file
Michael Meltzer
michael.meltzer at sicad.de
Thu Apr 4 04:33:01 PST 2002
trying to trap mail worms I use a local rules file with the sanitizer 1.132
but the mail went through the filter.
my /etc/procmailrc:
---------------------- snip ------------------------
VERBOSE=off
SHELL=/bin/sh
PATH=/usr/bin:/usr/sbin:/bin:/usr/ucb:/usr/local/procmail/bin
LOCKFILE=$HOME/.lockmail
#
# set own secure logfile for the rescan script
ARG = $1
:0
* ARG ?? ^^LOGFILE=\//var/tmp/ReScan_maillog_[a-z0-9][a-z0-9_-]*\.o\.[0-9][0-9]*^^
{
LOGFILE=$MATCH
}
:0 E
{
LOGFILE=/dir/procmail.log
}
#
#LOGFILE=${1-/dir/procmail.log}
DATUM=`date '+%d. %T'`
#
:0
* ^Subject:.*ILOVEYOU
! m.m at sicad.de
#
:0
* ^Subject:.*New Generation of drivers[ ]*$
! m.m at sicad.de
#
:0
* ^Subject:.*Remember Windows 3\.1
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped BlueMail worm"
:0 B
* > 134000
* Este es el archivo con la informaci=n que me pediste
! m.m at sicad.de
#
######################################################
# Viren-Scanner vorbereiten #
######################################################
DROPPRIVS=YES
POISONED_EXECUTABLES=/dir1/poisoned
SECURITY_NOTIFY="x.y at sicad.de, a.b at sicad.de"
SECURITY_NOTIFY_VERBOSE="m.m at sicad.de"
SECURITY_NOTIFY_SENDER=""
SECURITY_NOTIFY_RECIPIENT="/dir1/empfaenger_info.txt"
SECURITY_QUARANTINE=/dir/fangeisen
SECURITY_QUARANTINE_OPTIONAL='no'
POISONED_SCORE=25
SCORE_HISTORY=/dir/macro-scanner-scores
DEFANG_WEBBUGS='yes'
MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|cil|pps|wm[szd]|vcf|nws|\{[-0-9a-f]+\}'
#
# Finished setting up, now run the sanitizer...
INCLUDERC=/dir1/local-rules.procmail
INCLUDERC=/dir1/html-trap.procmail
#
# Reset some things to avoid leaking info to
# the users...
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_QUARANTINE=
SECURITY_NOTIFY_RECIPIENT=
LOGFILE=$HOME/procmail.log
----------------------- snip --------------------------------
my local-rules.procmail:
----------------------- snip --------------------------------
#
# Trap Nice Couple Worm
#
:0
*
{
:0 B hfi
* http://briefcase\.yahoo\.com/cpl4u3000
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped Trojaner Nice couple/Subseven.21"
}
----------------------- snip ---------------------------------
progmail logfile:
>From michael.meltzer at sicad.de Thu Apr 4 11:38:52 2002
Subject: Neuer Virus im Umlauf. Schutzsoftware hier
Folder: formail -A "X-Content-Security: [$HOST] NOTIFY" \ 1274
any advice ?
Michael
--
+---- Michael Meltzer ---+-----------------------------------------+
| SICAD Geomatics | EMail : Michael.Meltzer at sicad.de |
| Otto-Hahn-Ring 6 | Phone : +49-89-636-46239 |
| 81739 Muenchen | Fax : +49-89-636-51313 |
+------------------------+-----------------------------------------+
More information about the esd-l
mailing list