On 11/26/01 11:26 AM, John D. Hardin sat at the `puter and typed:
Okay, here is the final local-rules ruleset for detecting and
quarantining badtrans. I'll add it to the website later today.
If you're not using the sanitizer, modify the action section
appropriately.
Beware line-wrap.
# Trap BadTrans? (signature as of 11/26/2001)
#
:0
* > 40000
* < 50000
* ^Subject:.*Re:
*
^Content-Type:.*multipart/related;.*"multipart/alternative";.*boundary="====_ABC1234567890DEF_===="
{
:0 B hfi
* ^Content-Type: audio/x-wav;
* ^Content-ID: <EA4DMGBP9p>
* ^Content-Transfer-Encoding: base64
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
BadTrans worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)badtrans(_dot_)b(_at_)mm(_dot_)html"
}
I have to admit to being a little slow here, but do those two first
conditions specify the range of bytes in the message? Ive been
getting them in the 530 line range, so I imagine it could fall in that
range. What's the reasoning for checking the range? Other than we
can email back and forth about it, I mean.
TIA
Lou
--
Louis LeBlanc leblanc(_at_)keyslapper(_dot_)org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
Occam's eraser:
The philosophical principle that even the simplest
solution is bound to have something wrong with it.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail