>
> From: Dan Spray [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 03, 2004 11:22 AM
> To: [EMAIL PROTECTED]
> Subject: New Beagle.J virus problems
>
>
>
> Hello all,
>
>
>
> I am sure that some or all of you have seen the effects of the
> new Beagle.J virus. My question is, how do I blacklist the from address
> when it is my own domain? For example, they show that they are coming
> from [EMAIL PROTECTED] This account doesn't even exist. How
> do I blacklist messages coming from the account?
>
>
>
> Thanks,
>
>
> Dan
>
>
>
> --
> Dan Spray, Director of Internet Operations [EMAIL PROTECTED]
> <BLOCKED::mailto:[EMAIL PROTECTED]> Connecting Point Norfolk, NE
> <http://www.conpoint.com/ <BLOCKED::http://www.conpoint.com/> >
> Voice - 402.844.2308 Fax - 402.371.4515
>
> "The porcupine with the sharpest quills gets stuck on a tree
> more often."
>
The Beagle viruses all seem to have an odd boundary we've been able to nab
with procmail:
:0BHh:
*
boundary=\"--------[a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a
-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z]\"
* filename=.*\.(zip|pif)
/beagle
I'm sure this could easily be modified to an SA rule, maybe something like
rawbody __BEAGLE_VIRUS_BOUND /boundary=\"-{8}[a-z]{20}\"/
rawbody __EXECUTABLE_ATTACH /filename=.*(zip|pif)/
meta BEAGLE_VIRUS (__BEAGLE_VIRUS_BOUND && __EXECUTABLE_ATTACH)
Sandy
