procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: bugbear filtering

2002-10-04 08:37:58
from [Bart Schaefer] [Permanent Link] 
On Fri, 4 Oct 2002, Michael Moritz wrote:


# Klez (from Bart Schaefer on procmail list 20020427)
:0EB
* > 50000
* ^Content-Type:[       ]*(audio/x-|application)
* 1^0 ()<i?frame[       ]*src=(3d)?cid:
* 1^0 ^--[^ ]+$$Content-
* 1^0 ^--[^ ]+$--[^ ]+$
/var/mail/junk

The problem is that it filtered this message among some real virus ones:

    [ Part 1, Text/HTML  4 lines. ]
    [ Not Shown. Use the "V" command to view or save this part. ]
    [ Part 2, Audio/X-WAV  127KB. ]


There's always a danger that a signature-based filter will get a "false
positive."  I'd be curious which condition triggered it; my guess is that
the sender used the iframe trick to try to get his WAV file to play as
soon as you opened the message.  (As far as I'm concerned, that's annoying
enough to warrant filtering by itself, but ...)


How would I make one line case sensitive and the others not? (I know RTFM)


Actually, you can't make one condition line case sensitive and the others
not.  You have to use more than one recipe.

On Fri, 4 Oct 2002, Mark T. Valites wrote:


Bugbear is a distinct & separate virus from klez:

http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)bugbear(_at_)mm(_dot_)html

It hasn't really hit here yet, but I'd rather be proactive instead of
waiting for it to hit first.


Accordign to the symantec report, the virus propagates using files with
executable extensions.  John Conover's quarantine.outlook.attachments.txt
procmail recipes, or my viriirc.txt based on it, should catch that.  You
can find mine at <http://www.well.com/user/barts/email/viriirc.txt>.

Of course that won't help you if you share a networked drive with an 
unprotected PC.

Warning, the quarantine recipes referenced above tend to err on the side
of caution (particularly JC's) and may trap innocent messages as well.  
The viriirc.txt recipes are designed to make it easy to recover those
innocent ones, at the risk of giving the clueless an indirect access to
the dangerous ones.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: bugbear filtering, Don Hammond
Next by Date:  Re: is there a way to evade /etc/procmailrc ?, listuser
Previous by Thread:  Re: bugbear filtering, Professional Software Engineering
Next by Thread:  Re: bugbear filtering, Stan Ryckman
Indexes:  [Date] [Thread] [Top] [All Lists]