(I was going to follow up on Spam-L as well but it looks like I posted
too many messages already ... I'll repost this there later.)
On Thu, 4 Mar 1999 17:55:31 -0700, Michael Rawls wrote:
The following procmail filter will detect the Happy99 email virus,
notify the sender that his computer is infected, and store the infected
file in a folder seperate from the standard email folder.
<...>
# Trojan virus program that propagates itself via email
:0 B c
* !^From:.*MAILER-DAEMON
* !^From:.*postmaster
Your recipe only examines the body, so these will never accomplish
anything. Anyway, you should probably use ^FROM_DAEMON which is
somewhat more bulletproof than these checks. (Also note that Sendmail
usually uses an underscore in MAILER_DAEMON.)
(Philip: Perhaps these macros could be rigged to always work on the
headers even if you have a B flag? Or unless you specifically use them
with B??)
* begin 644 Happy99.exe
This should definitely be anchored to beginning of line. Additionally,
you might want to check that it contains a few uuencode-like lines
after the begin line -- somebody could plausibly write something like
"Remove everything starting with the line
begin 644 happy99.exe
and through to end of the message"
in an instruction on how to deal with the problem.
So now we have something more or less like
# This is based on a quick check against what my own copy
# of uuencode produces, not actual documentation of any sort.
# Oh for regex\{count\} syntax!
UUENCODE='[!-`]'
UFOUR="$UUENCODE$UUENCODE$UUENCODE$UUENCODE"
USIXTEEN="$UFOUR$UFOUR$UFOUR$UFOUR"
USIXTY="$USIXTEEN$USIXTEEN$USIXTEEN$UFOUR$UFOUR$UFOUR"
# Check for at least three full lines of correctly uuencoded data
# You could also look for an unbroken row of M$USIXTY($) lines up
# until the last lines, which will be $UUENCODE+ (no more than
# sixty, of course, but we're too lazy to formalize that) followed
# by newline, backtick, newline, "end", newline. (I think. :-)
:0c
* ! ^FROM_DAEMON
* $ B ?? ^begin 6[0-7][0-7] happy99\.exe($)M$USIXTY($)M$USIXTY($)M$USIXTY($)
...
followed by the action you already had:
| (formail -r -A"Precedence: junk" \
-A"X-Loop: your(_at_)own(_dot_)mail(_dot_)address" ; \
echo "Your computer appears to be infected with the Happy99.exe \
(W32/Ska) virus. Please visit http://www.mcafee.com and \
download the latest McAfee anti-virus software and DAT file \
to take care of this problem.") | $SENDMAIL -t
In principle, I would usually recommend formail -rt over formail -r
but you probably know more about your local users and their habits
than I do.
The wrapped echo will be wrapped onto a single line so you might want
to put the message in a variable instead:
REPLY="Your computer appears to be infected with the Happy99.exe
(W32/Ska) virus. Please visit <http://www.mcafee.com/> and
download the latest McAfee anti-virus software and DAT file
to take care of this problem.
This is an automatically generated message."
:0
* conditions
| ( formail -foo -bar -baz; echo "$REPLY" ; ) | $SENDMAIL -oi -t
This also facilitates reusing this message (only one place to edit
when you decide to recommend someone more responsible than McAfee,
etc).
The X-Loops look kind of gratuitous if you never check against them on
incoming mail.
* X-Spanska: Yes
This should of course be anchored, so as not to accidentally match on
this in Subject: headers etc.
I will leave wrapping this up an exercise for the reader (mostly
because it's too late for me to think I could type it all in
correctly. Sorry about that -- I know, I'm a lazy bastard).
/* era */
--
.obBotBait: It shouldn't even matter whether <http://www.iki.fi/~era/>
I am a resident of the state of Washington. <http://members.xoom.com/procmail/>