On Thu, Aug 21, 2003, Boaz Rymland wrote about "Re: Procmail recipe for filtering Sobig-originated E-mail?": > Notice that filtering based on the subject opens the possibility for > false-positive, since a possible innocent mail might include in it's > body the sentence "See the attached file..." (and, it's not that far > fetched). > > I think it's even better filtering via your SMTP server, if you have > one.
This sentence and the paragraph above seriously contradict each other... If you are afraid of false-positives, the worst thing you could do is to do the filtering before the user has a chance to save a failsafe copy. > In short, to stop *this virus only* add the following to your main.cf > file. Make sure this is inserted before the "<...>restrictions" You might want to look again at the much simpler procmail script I suggested in an earlier mail, based on some random piece of code I picked up from this virus. This will not only catch the virus itself, but also stuff like bounces containing a copy of the virus (for bounces without a copy of the message, see below). Yes, it's really strange that worm writers don't make them polymorphic to avoid trivial detection. It's a fairly trivial thing to do... But still, they don't, and you can take advantage of that fact. If you want to also catch bounces of viruses sent in your name to other people but that don't necessarily include a full copy of the virus, you can use something like this: :0 *^from +MAILER-DAEMON[ @] * !^Message-id: [EMAIL PROTECTED] fakebounces Where your.machine.com is where you usually send your emails from (this can also be a regular expression, of course). This simple recipe tries to only capture "fake" bounces, bounces that are not actually replies to emails you sent, because they include the wrong Message-id text. Real bounces of your emails will not be captured into this fakebounces. -- Nadav Har'El | Thursday, Aug 21 2003, 24 Av 5763 [EMAIL PROTECTED] |----------------------------------------- Phone: +972-53-245868, ICQ 13349191 |A language is a dialect with an army. http://nadav.harel.org.il | ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
