'Re: Procmail Klez Recipe'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       majordomo-users
Subject:    Re: Procmail Klez Recipe
From:       Daniel Liston <dliston () sonny ! org>
Date:       2002-06-20 23:28:31
[Download RAW message or body]


Thanks again Karl for posting the recipe.  I just trapped a Klez infected
message.  I should point out a couple things I have noticed for the rest
of the list though.

1.  Bh should be changed to DBh if you want a case sensitive rule.
2.  Adding additional "*" lines means you want a condition that matches true
    for all lines beginning with *, meaning each line is ANDed together.  If
    you want an OR condition, all expressions go on one line separated by a
    '|' (pipe|bar) symbol.
3.  The sixth "echo" line is missing a semi-colon.  It should end like );\
4.  Make SURE to replace abuse@ourldsfamily.com with your own information.

Dan Liston

karlp@ourldsfamily.com wrote:
> 
> Daniel Liston requested that I post this recipe for catching the Klez worm
> using procmail. Though this isn't real sophisticated, it will give you an
> idea of how you can filter for viruses.  Briefly, the line starting with an
> asterisk '*' is part of the uuencoded attachment for the .exe or .scr file
> that is the virus. You can put multiple lines beginning with an asterisk so
> you have multiple checks for other viruses. When my system was being
> deluged with emails containing the Klez worm, I quarantined several until I
> could see a commonality. The TVqQAA line below is that commonality. This
> rule catches the virus, then sends an email back to the user. In the other
> virus recipies I have, sending the email back to the user is very helpful.
> This one doesn't do much good because the apparent sender is never the real
> sender. To find out who that is, you have to disect the header of the virus
> email and look for the Apparently-From: header. However, the links below do
> give valuable information, so I still send it back to the user who has been
> spoofed.
> 
> :0 Bh
>  *TVqQAAMAAAAEAAAA
> 
>  |(formail -rtb -I "Precedence: junk" \
>  -A "Subject: New Email 'worm' Klez-variety"; \
>  echo "Someone is using your email address to spawn a virus."; \
>  echo "Either that or your computer is infected. Please see"; \
>  echo " ";\
>  echo "http://kaspersky.com/news.html?tnews=20140&id=591632"; \
>  echo " ";\
>  echo "and read about the Klez worm for more information, or visit")\
>  echo "http://housecall.antivirus.com/housecall/start_corp.asp"; \
>  echo "to get a cleaner just for the Klez viruses."; \
>  |$SENDMAIL -fabuse@ourldsfamily.com -oi -t
> 
> I hope this helps someone. It is contained in my /etc/procmailrc file. I'm
> using RH7.0, Sendmail 8.11 and MD 1.94.5.
> 
> --
> Karl L. Pearson
> Senior Consulting Systems Analyst
> Senior Consulting Database Analyst
> karlp@ourldsfamily.com
> http://consulting.ourldsfamily.com
>  My Thoughts on Terrorism In America:
>  http://www.ourldsfamily.com/wtc.shtml

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic