Thu, 19 Feb 2004, by robin1.listas@tiscali.es:
The Tuesday 2004-02-17 at 21:41 +0100, Theo v. Werkhoven wrote:
[..]
/^SUBJECT: /i WARN sub6 (I'm going to change that to DISCARD also, there doesn't seem te be any false positive)
What are those about? I have not seen them.
Also worm-signs. Tricky stuff this Internet-spice. message reject warning detail ----------------------------- cleanup header (total: 3) 1 SUBJECT: Error Advice 1 SUBJECT: Newest Network Update 1 SUBJECT: newest microsoft update
/From:.*(delivery|security|e?mail|technical|public|storage|message|technical|(i|inter)+net)+\s+(system|section|assistance|service(s)?|bulletin|division|support|center)+/ DISCARD frm2
message discard detail
----------------------
cleanup
header (total: 20)
1 FROM: "Public Assistance"
No bounces, no rejects, just silent drop in the bitbucket.
I use something similar for executable attaches:
/(filename|name)=".*\.(scr|pif|exe|com|bat)"/ REJECT "*** DOS/WIN executables rejected ***"
Of course, that's the next hurdle cleanup header (total: 6) 1 Content-Type: application/x-msdownload; name="Installation.exe" 1 Content-Type: application/x-msdownload; name="Q479567.exe" 1 Content-Type: audio/x-wav; name="hjfbhddy.exe" 1 Content-Type: application/x-msdownload; name="Qyx.exe" 1 Content-Type: audio/x-wav; name="ewmxwn.scr" 1 Content-Type: audio/x-wav; name="cntxzwvl.bat"
Most of them are catched - but the mydoom attaches got through, because they came in zip form.
That didn't stop or even delay the real tenacious "click on *" Windows users of course. Hell no, even if they hide the virusses in .cc files that the users have to compile themself, they *will* be launched. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 8.2 + Jabber: gurp@jabber.org Kernel k_athlon-2.4.20 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +