[clug] Procmail rule to match all this virus email?
Peter Barker
pbarker at barker.dropbear.id.au
Wed Jan 28 21:40:04 GMT 2004
On Thu, 29 Jan 2004, Michael Still wrote:
> I've noe received about 200 of these virus emails.
I have a catchall on barker.dropbear.id.au; I'm getting /lots/ of these
bastards.
What's this thing doing?
- changing the "social engineering" text
- changing the "to" line (trying common names @domain.name?)
- forging the from line (I received a seemingly-real bounce message)
I can't see any conveniently common string in the non-binary parts of the
message.
There appear to be at least two different payloads, so at least two
strings to try to match in the attachments.
> Anyone got a suggestion for a procmail rule which will filter them out? I
> don't want to drop _all_ mail with zip attachments however...
I'm thinking about matching strings in the attachment. That's about the
best I've come up with.
> Mikal
Yours,
--
Peter Barker | N _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek | W + E / /\
pbarker at barker.dropbear.id.au | S \_,--?_*<-- Canberra
You need a bigger hammer. | v [35S, 149E]
"They'll need a whole new Orwellian pseudo-crime-name for that... I
suggest "digital molestation of kittens". - Jeremi (14640) from Slashdot
More information about the linux
mailing list