procmail
[Top] [All Lists]

Re: Sobig.F recipe

2003-08-20 07:26:12
I've had success using this recipe:
 
:0HBw
* > 70000
* < 120000
* ^Subject: [Re: Re: Thank you!|Re: Thank you!|Thank you!|Your details|Re:
Details|Re: Re: My details|Re: Approved|Re: Your application|Re: Wicked
screensaveensaver|Re: That movie]
* [.pif|.scr]
* the attached file for details
/var/log/procmail/quarantine/virus_sobig.f
 
Most of the ones I've seen are over 100kB in size.

Frode Lillerud
 
-------Original Message-------
 
From: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
Date: 19. august 2003 23:51:09
To: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
Subject: Re: Sobig.F recipe
 
On Tue, 19 Aug 2003, Klaus Johannes Rusch wrote:
 
KJR>
KJR> Sobig.F has some special characteristics which you should check also:
KJR>
KJR> :0 BH
KJR> * ^X-MailScanner: Found to be clean
KJR> * ^X-Mailer: Microsoft Outlook
KJR> * filename="[a-z0-9]\.pif"
KJR>
 
 
I had a mini avalanche this eveing, with headers like this, hitting the
autoresponder.
 
I put this in:
 
 
## your_document.pif, thank_you.pif and others
:0 B :
*
^TYg45jEaa7EKGvkUwszJYGUwjTJWkCSxN9IbQBPZPwxmHINeoyVswne23sTxdaFYLOyc4Z2nKq
IN.zzzz.viruses
 
 
and it is trapping them.
 
 
I just take a line the doesn't have characters like * + / in
 
 
I have been thinking that it would be rather nice to semi-automate this.
Bring up a message in Pine and run a filter to find a suitable line and
create the procmail recipe. I shall have a ponder.
 
 
 
Alan
 
 
( Please do not email me AS WELL as replying to the list. Please
address personal email to alan+1@ as lists@ is not read. A
password autoresponder may be invoked if this email is very old. )
 
 
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
 
.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>