procmail
[Top] [All Lists]

Re: Sobig.F recipe

2003-08-21 10:25:38

I think everybody has their own favorite way of detecting Virii/Worms
in e-mail attachments. Mine is at:

    http://www.johncon.com/john/receivedIP/howto-virus.txt

but it does involve searching the body.

        John

Daniel Liston writes:

I've had success using this recipe:
 
:0HBw
* > 70000
* < 120000
* ^Subject: [Re: Re: Thank you!|Re: Thank you!|Thank you!|Your details|Re:
Details|Re: Re: My details|Re: Approved|Re: Your application|Re: Wicked
screensaveensaver|Re: That movie]
* [.pif|.scr]
* the attached file for details
/var/log/procmail/quarantine/virus_sobig.f
 
Most of the ones I've seen are over 100kB in size.

Your Subject: filter could use a bit of work,

* ^Subject:.*(re: )*(thank you|(my |your )?(details|app)|your app|Wicked|that 
movie)

will catch everything that your rule will catch, plus some.  Though I
am not sure I would want to filter on subject at all when I am looking
for a virus.
The subject can and probably will someday be completely random, or if
you start with that assumption, will have to go back and make changes
every time a new strain of the virus is released.  I use the same
argument on .pif|.scr when this could also mutate into .zip|.exe|.com
and so on.

Viruses are MIME attachments to emails (at least the ones we can find
with procmail are).  The maximum size keeps growing, but there is a
constant for the minimum size.  Distinct headers for the virus have
been posted, but I think we can assume that headers will not be
permanent either. What should be permanent however, is the body
signature.

-- 

John Conover, conover(_at_)rahul(_dot_)net, http://www.rahul.net/~conover

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>