procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: bugbear filtering

2002-10-04 08:31:49
from [Shane Williams] [Permanent Link] 
Here's what I've concocted.

(Note that in both recipes below, I've added a newline in the middle
of the pattern to avoid setting off my own scanners)

# Look for Bugbear
:0B:
* ^uv\+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA
0AEUQ\+FEN23f7doqAT/dCQk/xWcEQmDxCTD$
$VIRUSTRAP


After a couple of days in place (and also in a snort rule), I haven't
gotten any false positives.  I don't think I'm missing any of them,
because I also check mail with McAfee's uvscan and haven't seen any
false negatives.

As a side note, several people mentioned that Klez rules will pick
it up.  If so, then I'd recommend tuning your rule, since Bugbear
resembles Klez somewhat, but is a distinct virus with some
characteristics unlike Klez.  In any case, all the standard stuff
about making rules accurate but not overbroad applies.

Here's my rule for Klez, which after six months of use, I feel very
confident in.

:0 B:
*
^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFI
tEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE$
$VIRUSTRAP





On Fri, 4 Oct 2002, Michael Moritz wrote:


Hi,

We realised some rise in mail load yesterday due to bugbear since it has 
reached the UK. I did some research through the 
files and found the following to be working quite well for our mailserver.

:0 D
*Content-Transfer-Encoding: base64
*TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA
*AEAAAAAAAAAAAAAAAAAABAAADgLnJzcmMA
/var/mail/junk

I'm not a procmailrc pro so maybe someone around has suggestions to make this 
more efficient.

Regards,

mm


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail



-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+-------------------------------
All syllogisms contain three lines |        
shanew(_at_)gslis(_dot_)utexas(_dot_)edu
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  chowning messges delivered to specific user through /etc/procmail, Mark T. Valites
Next by Date:  Re: bugbear filtering, Professional Software Engineering
Previous by Thread:  Re: bugbear filtering, LuKreme
Next by Thread:  Re: bugbear filtering, dman
Indexes:  [Date] [Thread] [Top] [All Lists]