[prev in list] [next in list] [prev in thread] [next in thread]
List: majordomo-users
Subject: Re: Procmail Klez Recipe
From: Daniel Liston <dliston () sonny ! org>
Date: 2002-06-20 23:28:31
[Download RAW message or body]
Thanks again Karl for posting the recipe. I just trapped a Klez infected
message. I should point out a couple things I have noticed for the rest
of the list though.
1. Bh should be changed to DBh if you want a case sensitive rule.
2. Adding additional "*" lines means you want a condition that matches true
for all lines beginning with *, meaning each line is ANDed together. If
you want an OR condition, all expressions go on one line separated by a
'|' (pipe|bar) symbol.
3. The sixth "echo" line is missing a semi-colon. It should end like );\
4. Make SURE to replace abuse@ourldsfamily.com with your own information.
Dan Liston
karlp@ourldsfamily.com wrote:
>
> Daniel Liston requested that I post this recipe for catching the Klez worm
> using procmail. Though this isn't real sophisticated, it will give you an
> idea of how you can filter for viruses. Briefly, the line starting with an
> asterisk '*' is part of the uuencoded attachment for the .exe or .scr file
> that is the virus. You can put multiple lines beginning with an asterisk so
> you have multiple checks for other viruses. When my system was being
> deluged with emails containing the Klez worm, I quarantined several until I
> could see a commonality. The TVqQAA line below is that commonality. This
> rule catches the virus, then sends an email back to the user. In the other
> virus recipies I have, sending the email back to the user is very helpful.
> This one doesn't do much good because the apparent sender is never the real
> sender. To find out who that is, you have to disect the header of the virus
> email and look for the Apparently-From: header. However, the links below do
> give valuable information, so I still send it back to the user who has been
> spoofed.
>
> :0 Bh
> *TVqQAAMAAAAEAAAA
>
> |(formail -rtb -I "Precedence: junk" \
> -A "Subject: New Email 'worm' Klez-variety"; \
> echo "Someone is using your email address to spawn a virus."; \
> echo "Either that or your computer is infected. Please see"; \
> echo " ";\
> echo "http://kaspersky.com/news.html?tnews=20140&id=591632"; \
> echo " ";\
> echo "and read about the Klez worm for more information, or visit")\
> echo "http://housecall.antivirus.com/housecall/start_corp.asp"; \
> echo "to get a cleaner just for the Klez viruses."; \
> |$SENDMAIL -fabuse@ourldsfamily.com -oi -t
>
> I hope this helps someone. It is contained in my /etc/procmailrc file. I'm
> using RH7.0, Sendmail 8.11 and MD 1.94.5.
>
> --
> Karl L. Pearson
> Senior Consulting Systems Analyst
> Senior Consulting Database Analyst
> karlp@ourldsfamily.com
> http://consulting.ourldsfamily.com
> My Thoughts on Terrorism In America:
> http://www.ourldsfamily.com/wtc.shtml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic