Nadav Har'El wrote:
On Thu, Aug 21, 2003, Boaz Rymland wrote about "Re: Procmail recipe for filtering Sobig-originated E-mail?":the original meaning was double:
Notice that filtering based on the subject opens the possibility for false-positive, since a possible innocent mail might include in it's body the sentence "See the attached file..." (and, it's not that far fetched).
I think it's even better filtering via your SMTP server, if you have one.
This sentence and the paragraph above seriously contradict each other...
If you are afraid of false-positives, the worst thing you could do is
to do the filtering before the user has a chance to save a failsafe copy.
1. filtering based on subject enables, unfortunately, identifying innocent mail as spam. AFAIK, your filter based on actual binary content, so I guess its almost as safe as filtering based on attachment name, as far as false-positive rate is concerned.
2. I think that indeed, denying email live, on-session, disables failsafe copy creation option (the most one can "get" is the headers, to some stage, not sure even full), but, it does saves resources (at least bandwidth). the choice is in one's hands... . BTW, there might be a way to put postfix (which I forgot to mention my setup reffers to...) in some "debug" mode, which report such block occurances, but I'm not sure (?).
I guess what's written below is good, but i don't know procmail and liked the "speedy" method to say bye to spammers :-)
and in anyway - thats just another option (mail server level spam/virus filtering)
boaz.
In short, to stop *this virus only* add the following to your main.cf file. Make sure this is inserted before the "<...>restrictions"
You might want to look again at the much simpler procmail script I suggested in an earlier mail, based on some random piece of code I picked up from this virus. This will not only catch the virus itself, but also stuff like bounces containing a copy of the virus (for bounces without a copy of the message, see below).
Yes, it's really strange that worm writers don't make them polymorphic to avoid trivial detection. It's a fairly trivial thing to do... But still, they don't, and you can take advantage of that fact.
If you want to also catch bounces of viruses sent in your name to other people but that don't necessarily include a full copy of the virus, you can use something like this:
:0 *^from +MAILER-DAEMON[ @] * !^Message-id: [EMAIL PROTECTED] fakebounces
Where your.machine.com is where you usually send your emails from (this can also be a regular expression, of course). This simple recipe tries to only capture "fake" bounces, bounces that are not actually replies to emails you sent, because they include the wrong Message-id text. Real bounces of your emails will not be captured into this fakebounces.
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
