[linux-elitists] Swen

Martin Pool mbp@sourcefrog.net
Mon Sep 22 00:17:16 PDT 2003


On 22 Sep 2003 "Matthew W. Miller" <mwmiller@columbus.rr.com> wrote:

> On Sun, Sep 21, 2003 at 07:34:36PM -0400, James Morris wrote:
> >Does anyone have a good procmail recipe for catching this one?  I've 
> >managed to block 26MB of it (just for my account), but can't keep up
> >with all of the variations.

LOGFILE=procmaillog
MAILDIR=/home/mbp/Mail

:0B:
*TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
virus-in

This matches the start of a base64-encoded PE executable.  I have no
desire to every receive them by email.  Despite the varying headers,
every(?) worm to date has contained this in the body.

Also, to catch stupid bounce messages:

:0:
* Subject:.*(Thank you!|(My|Your|re:) (application|details)|That movie|Virus|delivery fail|blocked attachment|delivery notification|returned mail|Prohibited|delivery status notification|undeliver(ed|able)|wicked screensaver|re: approved|report to sender)
virus-in

I then set up logrotate to roll over the log file and virus mailbox
every week or so.

An elitist receives their mail through a shell box where they can run
server-side procmail or spamassassin filtering.

-- 
Martin 



More information about the linux-elitists mailing list