>>> Sylvain Robitaille <[EMAIL PROTECTED]> 3/4/2004 11:14:45 AM
>>>
On Wed, 3 Mar 2004, Loren Wilton wrote:
> I was waaay behind on my reading when I posted that. Your current
(or last
> posted) attempt using full instead of rawbody should basically do it,
modulo
> any minor bugs there may be in the code.
Well, it still hasn't worked, so I switched to something as simple as
you suggested (with the list of addressesI've seen instead of only the
one) and that seems to have actually stopped some... :-(
>>>>>>>>>>>>>>
# 2004/03/03 Sylvain Robitaille: trap Bagle variants. Based on
# discussion in spamassassin-users mailing list;
specifically
# contributions by "Yackley, Matt"
<[EMAIL PROTECTED]>
# "Bret Miller" <[EMAIL PROTECTED]>, Brent J. Nordquist
# <[EMAIL PROTECTED]>, and Rick Mallett
# <[EMAIL PROTECTED]>
header __JEFFCO_BAGLE_FROM From =~
/(?:abuse|management|administration|staff|noreply|support)\@(?:.*\.)?(co|jeffco)\.us/
body __JEFFCO_BAGLE_GREETING /^(?:dear|hello)\s+user/i
header __JEFFCO_BAGLE_MSGID Message-ID =~
/[a-z]{11,19}\@(co|jeffco)\.us/
describe __JEFFCO_BAGLE_MSGID Message-ID in format used by Bagle
variants
#rawbody __JEFFCO_ATTACH /^Content-Type: application\/octet-stream;
name=".+\.(pif|zip)"$/
#describe __JEFFCO_ATTACH Message contains suspicious attachment.
# NOTE that this might be worth using in other contexts, but for now
I'm
# including only those I've seen with this particular virus.
body __JEFFCO_BAGLE_REGARDS /^(?:kind regards|sincerely)/i
describe __JEFFCO_BAGLE_REGARDS Bagle variant closing
header __JEFFCO_BAGLE_SUBJECT Subject =~ /e-?mail\s+account/i
describe __JEFFCO_BAGLE_SUBJECT Bagle variant subject
# This might be useful to catch these in a site-agnostic way:
meta T_JEFFCO_BAGLE_VARIANT (__JEFFCO_BAGLE_GREETING &&
__JEFFCO_BAGLE_REGARDS && __JEFFCO_BAGLE_SUBJECT)
meta JEFFCO_BAGLE_VARIANT (__JEFFCO_BAGLE_FROM &&
__JEFFCO_BAGLE_GREETING && __JEFFCO_BAGLE_MSGID &&
__JEFFCO_BAGLE_REGARDS && __JEFFCO_BAGLE_SUBJECT)
describe JEFFCO_BAGLE_VARIANT Message contains a variant of the
"Bagle/Beagle" virus
score JEFFCO_BAGLE_VARIANT 20.0
(Relabeled for reporting) - I removed the ATTACH rules (I'm using
MailScanner) and it seems to be catching some, although I do see 0.01
scores for _JEFFCO_BAGLE_VARIANT - not sure why that is.
Some of scores I've see are:
(score=4.787, required 4, BAYES_01 -0.04, DCC_CHECK 2.91,
MIME_SUSPECT_NAME 0.10, NO_DNS_FOR_FROM 1.65, NO_REAL_NAME 0.16,
T_JEFFCO_BAGLE_VARIANT 0.01)
(score=30.23, required 4, BAGLE_SUBJECT_2 10.00, BAYES_01 -0.04,
JEFFCO_BAGLE_VARIANT 20.00, MIME_SUSPECT_NAME 0.10, NO_REAL_NAME 0.16,
T_JEFFCO_BAGLE_VARIANT 0.01)
(score=11.77, required 4, BAGLE_PASSWORD 10.00, BAYES_00 -0.05,
NO_DNS_FOR_FROM 1.65, NO_REAL_NAME 0.16, T_JEFFCO_BAGLE_VARIANT 0.01)
(score=30.12, required 4, BAGLE_PASSWORD 10.00, BAYES_00 -0.05,
JEFFCO_BAGLE_VARIANT 20.00, NO_REAL_NAME 0.16, T_JEFFCO_BAGLE_VARIANT
0.01)
