procmail
[Top] [All Lists]

Re: Blocking the Melissa Trojan

1999-03-28 10:07:51
At 08:12 PM 3/27/99 -0800, John D. Hardin wrote:


Sounds good. Now, for the next twist to the story.

It turns out that the Melissa code also infects NORMAL.DOT, so that
the computer starts producing infected documents. When one of those
documents hits a machine that hasn't been infected yet, that machine
sends out a barrage of e-mail.... Using the NEW document as the
attachment! It'll have a different name.  So, we also need to filter
by subject and body. 

That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...) 

Per Aleph1:
The subject line is "important Message From <some user name>". The
body consist of the text "Here is that document you asked for...
don't show anyone else;-)".

That's fairly simple...

:0 H
* ^Subject:.*important Message From
{
 :0 B
 * Here is that document you asked for
 * don't show anyone else
 * ^Content-.*: .*\.do[ct]
 {
   LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '
 
   :0
   security-quarantine
 }
} 

Almost right. The only thing is that we need to get the text just right
(at least if the matching is sensitive to case). The header begins
with "Important Message From" or "Re: Important Message From" -- capitalized
just so.

Could this be added to the standard set of filters as well? It'd be great to
be able to hand people something that "just works."

--Brett