[Esd-l] So.Big rule

Sergio Cesar sergio at winc.net
Thu Aug 28 11:39:45 PDT 2003 

Is this how this rule should look now?
(watch for the line wrap)
Sergio

# Trap SoBig (signature as of 06/26/2003) updated 08/21/2003, 08/28/2003
#
:0
* > 98000
* < 130000
* ^Content-Type:.*multipart/mixed;
* HB ?? ^X-MailScanner: Found to be clean
{
        :0 B hfi
        * ^(Please )?see the attached (zip )?file for details\.?
        * ^Content-Disposition: attachment;
        * ^Content-Transfer-Encoding: base64
        * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(your_details|details|application|document.*|movie.*|wicked_scr|your_docu
ment|thank_you)\.(zip|pif|scr)"?
        * 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?(your_details|details|application|document.*|movie.*|wicked_scr|your_docu
ment|thank_you)\.(zip|pif|scr)"?
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] QUARANTINE" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig
worm -
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"

}

-----Original Message-----
From: esd-l-bounces at spconnect.com [mailto:esd-l-bounces at spconnect.com]On
Behalf Of Chris Rothbauer
Sent: Thursday, August 28, 2003 12:48 PM
To: esd-l at spconnect.com
Subject: [Esd-l] So.Big Back splatter

Alright, I've had enough so please check my logic since frustration might
just be in my way. I've implemented every rule posted to this list (one at a
time, of course - and before sanitizer.rc is called) and these things are
still getting through. The main denominator in the one's I'm getting seem to
be the undeliverable replies. I'm thinking any reply that is undeliverable
is either something I don't want anyway, or a bad 'reply to' as assigned by
the original sender.
How about something this simple?

:0 hi
* ^Subject: Undeliverable: Re: .*
/dev/null

Is there something this this may catch, which I may want (or perhaps a logic
flaw)? Or (thinking as I'm writing this), am I putting the rules in the
wrong place? I have 'backscatter.rc' being called (via INCLUDERC) before
'sanitizer.rc' in the master 'filt.rc' which is invoked by sendmail.

C
_______________________________________________
Esd-l mailing list
Esd-l at spconnect.com
http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list