[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm

Smart,Dan SmartD at VMCMAIL.com
Thu Jun 26 07:53:51 PDT 2003


John, 
To add a log statement after a header filter command, what should the flags
be?

The following gives me extraneous flags errors. 

# Trap SoBig (signature as of 06/25/2003)
#
:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
        :0 B hfi
        * ^Please see the attached zip file for details\.
        * ^Content-Disposition: attachment;
        * ^Content-Transfer-Encoding: base64
        * ^Content-(Type|Disposition):.*name *=
*"?(your_details|application|document|screensaver|movie)\.zip"?
        {
          LOG="TRAPPED: Probable SoBig worm"
          :0 hfi
            | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
                      -A "X-Content-Security: [$HOST] QUARANTINE" \
                      -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig
worm - http://securityresponse.symantec.com/av

<<Dan>>


 

| 
| -----Original Message-----
| From: John D. Hardin [mailto:jhardin at impsec.org] 
| Sent: Wednesday, June 25, 2003 11:05 PM
| To: Email Security Discussion list
| Cc: Email Security Announce list
| 
| On Wed, 25 Jun 2003, John D. Hardin wrote:
| 
| >         * ^Content-(Type|Disposition):.*name *= 
| ~*"?(your_details|application|document|screensaver|movie)\.zip"?
| 
| ...crap. How did that tilde creep in there?
| 
|   * ^Content-(Type|Disposition):.*name *= 
| *"?(your_details|application|document|screensaver|movie)\.zip"?
|  
| --
|  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
|  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
|  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
| --------------------------------------------------------------
| ---------
|   The fetters imposed on liberty at home have ever been forged out
|   of the weapons provided for defense against real, pretended, or
|   imaginary dangers from abroad.
|                                             -- James Madison, 1799
| --------------------------------------------------------------
| ---------
|    496 days until the Presidential Election
| 
| _______________________________________________
| Esd-l mailing list
| Esd-l at spconnect.com
| http://www.spconnect.com/mailman/listinfo/esd-l
| 


More information about the esd-l mailing list