[Esd-l] Signature to trap Mimail.C (fwd)
John D. Hardin
jhardin at impsec.org
Tue Nov 4 15:47:35 PST 2003
---------- Forwarded message ----------
Date: Mon, 3 Nov 2003 14:33:27 -0500
From: J Paul Keen <paulk at floridachristian.org>
To: jhardin at impsec.org
Subject: Signature to trap Mimail.C
This should trap the Mimail.C variant of the Mimail worm. We do not currently
use Mail Sanitizer, however it has helped me set up some of our schools mail
filtering. I tried to modify it for use in your sample Local Rules script file.
Hopefully this will help others. If you have any questions or comments feel
free to contact me.
# Trap Mimail.C
#
:0
* ^X-Mailer:.*The Bat
* ^Content-Type:.*multipart/mixed;
{
:0 B i
* ^Content-Type: application/x-zip-compressed;
* ^Content-Transfer-Encoding: base64
* ^Content-Disposition: attachment;.*photos\.zip
* ^UEsDBAoAAAAAA
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped MiMail.C worm
- http://www.sarc.com/avcenter/venc/data/w32.mimail.c@mm.html"
}
--Paul Keen
Technology Cordinator
Florida Christian School
More information about the esd-l
mailing list