I don't know what's going on, but I've been getting literally
hundreds of
virus/worm-looking emails per hour all day today. I grew tired of it and
wrote the following Sieve script to filter my mail on the server.
The pseudo-bounce messages were particularly annoying; they're close enough
to the real bounce messages that I *want* to keep that they justified a
little closer examination. I'll probably tighten the other message type to
also examine the sender, but I doubt I'll be getting any legitimate mails
that look like:
Subject: latest security patch
in the near future. Anyway, enjoy as you see fit.
############################################################
#### Virus detection
# 2003-09-18: Something stupid and Microsofty
if anyof(
# This one is super-annoying; it mimics real bounce messages
allof(
header :matches "From" [
"email*",
"internet*",
"microsoft*",
"ms*" ],
header :matches "From" [
"*service",
"*system"
],
header :is "Subject" [
"abort advice",
"abort letter",
"Error Notice",
"mail: user unknown",
"Returned Mail",
"returned message" ]
),
# "Current Security Pack", "New Security Update", etc.
allof(
header :matches "Subject" [
"current*",
"last*",
"latest*",
"microsoft*",
"new*",
"newest*" ],
header :matches "Subject" [
"*upgrade",
"*update",
"*pack",
"*patch" ]
)
)
{
fileinto "INBOX.virus.2003-09-18";
}
############################################################
--
Kirk Strauser
The Strauser Group
Open. Solutions. Simple.
http://www.strausergroup.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030918/f1d2d14a/attachment.bin
Kirk Strauser <kirk@strauser.com> wrote:
> I don't know what's going on, but I've been getting literally
hundreds of
> virus/worm-looking emails per hour all day today. I grew tired of it and
> wrote the following Sieve script to filter my mail on the server.
>
> The pseudo-bounce messages were particularly annoying; they're close
enough
> to the real bounce messages that I *want* to keep that they justified a
> little closer examination. I'll probably tighten the other message
type to
> also examine the sender, but I doubt I'll be getting any legitimate
mails
> that look like:
>
> Subject: latest security patch
>
> in the near future. Anyway, enjoy as you see fit.
I got lots of those, too. From looking at the headers,
there didn't seem to be very reliable things to identify
that crap, so i decided to filter by body.
The following is an excerpt from my ~/.mailfilter (I'm
using /usr/ports/mail/maildrop):
if (/^"September 2003, Cumulative Patch" update which /:b || \
/^Content-Type: audio\/x-(wav|midi);
name="[a-z]*\.(exe|com|bat|scr)")/:b)
{
to "$HOME/Mail/fake-ms-crap"
}
Regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 M?nchen
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
C++: "an octopus made by nailing extra legs onto a dog"
-- Steve Taylor, 1998
:
:I don't know what's going on, but I've been getting literally
hundreds of
:virus/worm-looking emails per hour all day today. I grew tired of it and
:wrote the following Sieve script to filter my mail on the server.
:
:The pseudo-bounce messages were particularly annoying; they're close enough
:to the real bounce messages that I *want* to keep that they justified a
:little closer examination. I'll probably tighten the other message type to
:also examine the sender, but I doubt I'll be getting any legitimate mails
:that look like:
:
: Subject: latest security patch
:
:in the near future. Anyway, enjoy as you see fit.
:...
You aren't the only one. My mail system processed over a thousand
of these blasted things overnight. I had over 200 in my mailbox
this morning.
Fortunately it took only two quick commands to wipe them,
matching on a portion of the virus content.
I finally caved in and modified my libmilter based filter to
substring-match elements of the virus in the body of the email
and reject it outright, in real time.
-Matt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+--- On Thursday, September 18, 2003 23:33 ---
| Kirk Strauser proclaimed:
|
| I don't know what's going on, but I've been getting literally
hundreds of
| virus/worm-looking emails per hour all day today. I grew tired of it and
| wrote the following Sieve script to filter my mail on the server.
|
| The pseudo-bounce messages were particularly annoying; they're close
| enough to the real bounce messages that I *want* to keep that they
| justified a little closer examination. I'll probably tighten the other
| message type to also examine the sender, but I doubt I'll be getting any
| legitimate mails that look like:
|
| Subject: latest security patch
|
| in the near future. Anyway, enjoy as you see fit.
|
I have found the following line in my Postfix body_checks.regexp to be very
satisfying:
/^TVqQAAMA/ REJECT Sorry, no executables allowed... zip it up.
Googling for that eight character string revealed it as the common
denominator for win32 execs.
- --
Mike
perl -e 'print
unpack("u","88V]N=&%C=\"!I;F9O(&EN(&AE861E<G,*");'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE/a3mesWv7q8X6o8kRAlV1AJ9g78cT1iR294hs/vwDW+NdOuR6SACeIrxU
Ax2GZhA5QWPa8vRiMz16qhk=EiP+
-----END PGP SIGNATURE-----
On Thu, 18 Sep 2003 at 22:33 -0500, Kirk Strauser wrote:> I don't know what's going on, but I've been getting literally > hundreds of virus/worm-looking emails per hour all day today.I've added the following to my sendmail .mc file: define(`confMAX_MESSAGE_SIZE', `125000') This stops the bloatware Virus/Worm/Trojan emails. Real bounces which strip the executable still come through. It also should put a stop to a bunch of other unwanted junk that should not be sent through email. Stuart Barkley -- I've never been lost; I was once bewildered for three days, but never lost! -- Daniel Boone