procmail
[Top] [All Lists]

Re: That famous worm whose name I don't want to use in the SUBJ

2000-05-11 05:40:32
From: "Dallman Ross" <dman(_at_)walkerect(_dot_)com>

Well, 1.5 hours ago I sent the below, but it hasn't appeared.

In retrospect, I'm inclined to believe that the netcom.com outgoing
SMTP server silently blocked that initial mail due to a false positive
ID with the worm.  If so, it is quite annoying.  But let's move on.


From: Philip Guenther <guenther(_at_)gac(_dot_)edu>

I've been
using the following recipe:

    :0
    * 9876543210^0      ^Content-[-a-z0-9_]+:.*="?[^"]*\.vbs
    * 9876543210^0 B ?? ^Content-[-a-z0-9_]+:.*($[   ].*)*="?[^"]*\.vbs
    $BOG/vbs/$DEST

That's a space and tab in the brackets on the second condition line.

I had implemented this.  I didn't catch any worms, but I did catch
an administrative mailing from McAfee Tech Support with it!

I was mistaken, and I wanted to set the record straight.  I had made a
tiny alteration to the second condition, and that caused various false
positives, including snagging the email from McAfee.  I've changed it
back to the original conditions shown above, and it does seem to work
right so far.  (I've never gotten one of the worms, though, so I can't
say for sure taht it would catch it or any other VB Script.)

Did others have no procmail list mail from Thursday until Monday?
List mail stopped for me Thu. around dinnertime CET, and returned
sometime Monday morning.

-- 
    \     .-.     .-.     .-.     .-.     .-.     .-.     .-.     /
     \-d-/-m-\-a-/-n-\-(_at_)-/-n-\-e-/-t-\-c-/-o-\-m-/-.-\-c-/-o-\-m-/
      '-'     '-'     '-'     '-'     '-'     '-'     '-'     '-'

<Prev in Thread] Current Thread [Next in Thread>