[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm

aaz aaz at webcapacity.com
Thu Jun 26 07:40:42 PDT 2003 

Hi,
We are using the sanitizer and spamassassin on our system.

In our /etc/procmailrc file we have the sanitizer calls and INCLUDERC's
first and then at the end of the file we have

:0fw
* < 256000
| spamc

The effect we want is to have the sanitizer do its thing before the
spamassassin gets it. However just the oppossite is happenning. Spamassassin
is running before the sanitizer. How to correct this?


----- Original Message ----- 
From: "John D. Hardin" <jhardin at impsec.org>
To: "Pierre Etchemaite" <petchema at concept-micro.com>
Cc: <esd-l at spconnect.com>
Sent: Thursday, June 26, 2003 7:23 AM
Subject: Re: [Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm


> On Thu, 26 Jun 2003, Pierre Etchemaite wrote:
>
> > Some rules quarantine, others discard; Somes rules notify, that one
> > doesn't...
> > Is there a logic behind those differences, or only historical reasons ?
> >
> > Just wondering...
>
> Some of it does have a reason, some is sloppiness. :)
>
> Where the identification is reliable, the default is to discard. Where
> it's iffy (like with SoBig) you should quarantine.
>
> The "NONOTIFY" was my failure to clean up a cut-and-paste from my
> local rulesets: I'm discarding notifications on known attacks. I have
> changed SoBig to NOTIFY in the sample ruleset file - thanks for
> mentioning this.
>
> --
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   The fetters imposed on liberty at home have ever been forged out
>   of the weapons provided for defense against real, pretended, or
>   imaginary dangers from abroad.
>                                             -- James Madison, 1799
> -----------------------------------------------------------------------
>    495 days until the Presidential Election
>
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>

More information about the esd-l mailing list