[clug] Procmail rule to match all this virus email?

Wed Jan 28 21:48:59 GMT 2004

Hi Michael,

On Thu, 2004-01-29 at 06:00, Michael Still wrote:
> I've noe received about 200 of these virus emails.
> 
> Anyone got a suggestion for a procmail rule which will filter them out? I 
> don't want to drop _all_ mail with zip attachments however...

This one actually catches the non-zip versions of this and many other
viruses. As I've found it reliable, I now chuck it straight to /dev/null

# catch all executable attachments
:0 B
* ^Content-Type: .*/.*;$?.*NAME=.*\.(exe|com|bat|pif|scr|lnk)
/dev/null

For the MyDoom virus specifically... subject and bodytext aren't stable
(and may be empty). The following appears to be a reasonable combination
of characteristics, but I can't get them to work in procmail:

:0 B
* ^Content-Type: text/plain; charset="Windows-1252"
* ^Content-Type: application/octet-stream;
name=.*\.(bat|cmd|exe|pif|scr|zip)
* ^UEsDBAoAAAAAA.....DKJx\+eAFgAAABYAA

The lines work when I do them manually with egrep, so it must be some
quirkyness inside procmail (which uses the egrep code!). Procmail
already doesn't match the first one. Something is wrong in the pattern,
even though it's a direct copy from a msg. I've been messing with lots
of escaping, and I just can't find it.
Any thoughts appreciated!

> PS: What were the virus scanner people thinking when the wrote the code to 
> send me a warning of infection? I have as many of these as I do the virus, 
> and I'm _not_infected_!

Yea that's one of my gripes, too.
These viruses are known to use fake from addresses. Virus signature
databases just need an extra flag, noting if feedback would make sense
or not.

Last time, I managed to talk with the ppl from the MailMarshall
software. They already had a global flag for the responder, but changed
it so that in their new version it would be set to off by default.
So that's something.
I suppose adding stuff to the signature db is perhaps more tricky
(thought that shouldn't be a prob with a decent forward-compatible
structure design!)
I didn't find ppl to talk to at the other antivirus companies (lovely
websites)...

I really feel they cause a major part of the problem. The virus itself
is easy enough to catch, the bounces are way more difficult,
particularly with the report msgs being in different languages.
It also doubles or even triples the mailflow on the net (the report msg,
and then possibly a bounce because the address doesn't exist any more).

Regards,
Arjen.
-- 
Arjen Lentz, Technical Writer, Trainer
Brisbane, QLD Australia
MySQL AB, www.mysql.com

Sydney 1 Mar 2004 (5 days): Using & Managing MySQL Training
Training,Support,Licenses,T-shirts @ https://order.mysql.com/?marl