First, thanks to David, Don, Philip, etc. for all the great work at
explaining things for everyone.
I noticed last night late that my filter was in fact missing a large chunk
(by large, it missed over 200,000 copies in 4 hours) of the sircam
virus/worm. After research, I found that every one missed came from
Outlook 5.50.4133.2400 but this could still be a coincidence. Anyway, I'm
still having a little problem and also, am not sure I'm catching most of
them yet...
I'm getting an error in generating my bounce, but it is logging correctly
and I've only seen one message about the virus that had all the possible
lines and thus generated a score of 7 (no attach) and got nabbed but that's
acceptable to me.
Any suggestions as to a fix for the bounce portion and/or any tweaks to
this to make it better?
filter snippet:
# W32(_dot_)SirCam(_at_)MM
#
:0 BH
* ! ^X-BeenThere: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
* 1^0 ^Content-Type:.*(multipart|attachment)
* 1^0 B ?? Hi\! How are you(\?|=3F)
* 1^0 B ?? I send you this file in order to have your advice
* 1^0 B ?? See you later(\.|=2E) Thanks
* 1^0 B ?? Hola como estas *\?
* 1^0 B ?? Te mando este archivo para que me des tu punto de vista
* 1^0 B ?? Nos vemos pronto, gracias\.
* 1^0 B ?? I hope you like the file that I send( t)?o you
* 1^0 B ?? This is the file with the information that you ask for
* -3^0
{
SIRCAM=yes
}
:0
* SIRCAM ?? yes
{
oldVERBOSE=$VERBOSE
VERBOSE=on
oldLOGFILE=$LOGFILE
LOGFILE=/var/spool/mqueue/sircam.log
:0 f
| (${FORMAIL} -r -I "Subject: \"SirCam\" Worm Warning"; \
echo "Your machine is sending out the virus \"SirCam\" Email Worm. "; \
echo "As a result, it sent out a document chosen at random from your
machine"; \
echo "titled \"$SUBJECT\" that contained the virus. "; \
echo; \
echo "Please Visit
http://www.symantec.com/avcenter/venc/data/w32(_dot_)sircam(_dot_)worm(_at_)mm(_dot_)html "; \
echo "Information regarding removal can be found here."; \
echo; \
echo "More information can be found at: "; \
echo "http://www.wired.com/news/technology/0,1282,45427,00.html and "; \
echo
"http://www.zdnet.com/zdnn/stories/news/0,4586,2792260,00.html?chkpt=zdnnp1tp02
"; \
) | /usr/lib/sendmail -t
:0
/var/spool/mqueue/virus.sircam
:0
{
SPAMTAG=yes
}
LOGFILE=$oldLOGFILE
VERBOSE=$oldVERBOSE
}
and log:
procmail: Executing " (${FORMAIL} -r -I "Subject: \"SirCam\" Worm Warning"; \
echo "Your machine is sending out the virus \"SirCam\" Email Worm. "; \
echo "As a result, it sent out a document chosen at random from your
machine"; \
echo "titled \"$SUBJECT\" that contained the virus. "; \
echo; \
echo "Please Visit
http://www.symantec.com/avcenter/venc/data/w32(_dot_)sircam(_dot_)worm(_at_)mm(_dot_)html "; \
echo "Information regarding removal can be found here."; \
echo; \
echo "More information can be found at: "; \
echo "http://www.wired.com/news/technology/0,1282,45427,00.html and "; \
echo
"http://www.zdnet.com/zdnn/stories/news/0,4586,2792260,00.html?chkpt=zdnnp1tp02
"; \
) | /usr/lib/sendmail -t"
procmail: Error while writing to " (${FORMAIL} -r -I "Subject: \"SirCam\"
Worm Warning"; \
echo "Your machine is sending out the virus \"SirCam\" Email Worm. "; \
echo "As a result, it sent out a document chosen at random from your
machine"; \
echo "titled \"$SUBJECT\" that contained the virus. "; \
echo; \
echo "Please Visit
http://www.symantec.com/avcenter/venc/data/w32(_dot_)sircam(_dot_)worm(_at_)mm(_dot_)html "; \
echo "Information regarding removal can be found here."; \
echo; \
echo "More information can be found at: "; \
echo "http://www.wired.com/news/technology/0,1282,45427,00.html and "; \
echo
"http://www.zdnet.com/zdnn/stories/news/0,4586,2792260,00.html?chkpt=zdnnp1tp02
"; \
) | /usr/lib/sendmail -t"
procmail: Rescue of unfiltered data succeeded
procmail: Assigning "LASTFOLDER=/var/spool/mqueue/virus.sircam"
procmail: Opening "/var/spool/mqueue/virus.sircam"
procmail: Acquiring kernel-lock
From bells(_at_)westco(_dot_)net Fri Jul 27 09:46:51 2001
Subject: JAS01
Folder:
/var/spool/mqueue/virus.sircam 1259880
procmail: [22557] Fri Jul 27 09:46:56 2001
procmail: Notified comsat:
"adservices(_at_)1101192:/var/spool/mqueue/virus.sircam"
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail