On Sat, 27 Mar 1999, Brett Glass wrote:
At 03:28 PM 3/27/99 -0800, John D. Hardin wrote:
On Sat, 27 Mar 1999, Brett Glass wrote:
Excellent. Is there a default "poisoned executables" file in the
package? Or do admins have to construct a list themselves?
They have to make it themselves if they wish to use the facility. The
web page has a suggested list of filenames.
Sounds good. Now, for the next twist to the story.
It turns out that the Melissa code also infects NORMAL.DOT, so that
the computer starts producing infected documents. When one of those
documents hits a machine that hasn't been infected yet, that machine
sends out a barrage of e-mail.... Using the NEW document as the
attachment! It'll have a different name. So, we also need to filter
by subject and body.
That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...)
Per Aleph1:
The subject line is "important Message From <some user name>". The
body consist of the text "Here is that document you asked for...
don't show anyone else;-)".
That's fairly simple...
:0 H
* ^Subject:.*important Message From
{
:0 B
* Here is that document you asked for
* don't show anyone else
* ^Content-.*: .*\.do[ct]
{
LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '
:0
security-quarantine
}
}
--
John Hardin KA7OHZ
jhardin(_at_)wolfenet(_dot_)com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
52 days until Star Wars episode I