procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Sobig.F recipe

2003-08-22 04:20:00
from [Lester Garrett] [Permanent Link] 
At 02:04 PM 8/19/2003 -0600, linux303 wrote:


All,

Because the Sobig.F Worm is about 72K in size, would this work?

:0 B
* > 73000
* < 75000
* [.pif|.scr]
/var/log/quarantine
Rather than attempt to deal with viruses individually, we block all executable attachements based on file extensions and write them to a "base64-virus.in" file for review. 

:0 B
* (name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.bat|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.com|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.dll|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.exe|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.hta|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.htm|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.html|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.pif|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.rar|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.scr|\ name[=:; ]+.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*.*[ ]*\.vbs) 
{
  :0 B
* (Content-Transfer-Encoding: base64)
    $HOME/base64-virus.in
}

-={lsg}=-


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Virus filter, LuKreme
Next by Date:  FW: FW: How procmail behaves on program failure (Was: Re: (no subject)), Joe Ruddy
Previous by Thread:  Re: Sobig.F recipe, LuKreme
Next by Thread:  Re: Sobig.F recipe, Daniel Liston
Indexes:  [Date] [Thread] [Top] [All Lists]