procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

recent slew of viruses posted to Procmail list

2004-02-01 17:05:17
from [Professional Software Engineering] [Permanent Link]
ALL originate from 203.197.156.198 (FOURTEEN copies onlist as I write this). Those attachments will have failed to be identified as viruses because they aren't viruses - they're stubs indicating that the A/V system at rwth-aachen.de (the list host) successfully scrubbed the messages. Unfortunatley, it appears to decide it should forward the messages on to the list instead of bouncing them to the listadmin web interface.
However, at least for list messages, these messages can be scuttled easily enough: 

:0:
* ^X-BeenThere: procmail(_at_)lists\(_dot_)RWTH-Aachen\(_dot_)DE
* ^Received:[   ]*from localhost
* B ?? ^Client: MailMonitor for SMTP
* B ?? ^Virus identity found:
procmail_virus_spooge.mbx
The second condition is consistent with all of the messages in this case, but for a more generic filter, it should be removed.
Since I recieved a number of successfully quarantined copies directly from the same IP source, chances are good the participants on this list will be, or have already received multiple copies at their own hosts as well. I've gone so far as to add the source IP to a viral blacklist on my own net.
Quite obviously, some current or past subscriber to the procmail list is a total fsck.
The more I think about it, the more a globally accessible INFECTIOUS HOST DNSBL makes sense. The problem is the overhead of administering it, and getting hosts to subscribe to its use: the more hosts that subscribe, the easier it'd be to put a clamp down on the spread of email viruses (and certainly dramatically reduce the network bandwidth consumed by them).
Note that the list config could be switched to PLAIN TEXT ONLY, though before doing so, I'd need to pass it by the admin at rwth-aachen. 
---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  cool photos imortant, schaefer
Next by Date:  smart pictures, schaefer
Previous by Thread:  cool photos imortant, schaefer
Next by Thread:  Re: recent slew of viruses posted to Procmail list, Ruud H.G. van Tol
Indexes:  [Date] [Thread] [Top] [All Lists]