Eric Krichbaum is trying to catch the latest W32(_dot_)Badtrans(_dot_)B(_at_)mm
(?)
virus/ worm (being spewed by the unbelievable number of Outlook users
still uninterested/uninformed re: safe configuration) by taking
advantage of the apparently consistent forged From: header containing
"<_" (e.g. From: "User" <_user(_at_)domain(_dot_)tld>).
To which David Tamkin offered a thoughful and detailed explanation of
the pitfalls and the following recipe:
| :0: # the brackets enclose caret, space, tab
| * ^From:(.*\<)?_[^ ]*@
| /var/log/Badtrans
However Eric is experiencing both false positives and false negatives.
There was either a typo in David's response or he didn't completely
understand the request. I don't want to put words in his mouth, so will
let him straighten that out when he can. But to get you started in case
David's response is delayed, in this case you should be able to get by
with something as simple as:
:0:
* ^From:.*<_
/var/log/Badtrans
or if you want to tighten it up a bit more:
:0:
* ^From:.*<_[^ ]*(_at_)[^ ]+>
/var/log/Badtrans
Personally, I wouldn't use this as the *only* condition to catch this
thing, but that's not to say it doesn't have some value.
--
Reply to list please, or append "6" to "procmail" in address if you must.
Spammers' unrelenting address harvesting forces me to this...reluctantly.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail