Novarg/Mydoom filtering?
Morbus Iff
morbus at disobey.com
Tue Jan 27 14:18:24 EST 2004
>Has anyone had to do anything to filter this latest Windows-spread
>annoyance using either milter/Mime-defang/spam-assassin/razor,etc.?
What flavor of filtering do you like?
http://www.xray.mpe.mpg.de/mailing-lists/procmail/2004-01/msg00173.html
http://archives.neohapsis.com/archives/postfix/2004-01/3090.html
http://archives.neohapsis.com/archives/postfix/2004-01/3091.html
I've attached the current procmail rule I'm using.
-------------- next part --------------
#
# Trap NovArg
# Signature as of 01/27/2004
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
* 9876543210^1 B ?? ^Content-Type:.*text/plain;.*charset *= *"?Windows-1252"?
* 9876543210^1 B ?? ^Content-Type:.*text/plain;.*$.*charset *= *"?Windows-1252"?
{
:0 B hfi
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
| formail -A "X-Content-Security: [$HOST] NONOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html"
}
-------------- next part --------------
--
Morbus Iff ( i put the demon back in codemonkey )
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
Spidering Hacks: http://amazon.com/exec/obidos/ASIN/0596005776/disobeycom
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus
More information about the gnhlug-discuss
mailing list