[Esa-l] Poisoning "from" and subject line?

Bjarni R. Einarsson bre at klaki.net
Thu Nov 30 12:36:06 PST 2000 

On 2000-11-30, 13:56:14 (-0600), Dustin Ankeny wrote:
> I've been having some difficulty with the poisoned list, with viruses like
> hybris (which does not have a standard exe/scr name, it has a list of names
> randomly picked) so therefore hard to poison... but it always appears to be
> sent from...
> 
> From: Hahaha <hahaha at sexyfun.net>
> 
> Or it always has a standard subject line of
> 
> Subject: Snowhite and the Seven Dwarfs - The REAL story!

This is incorrect - I've received a copy of Hybris which had neither
characteristic.  But you're right: that is *one* good way to block
*some* of the Hybris messages out there.  Same goes for some spam,
and some other viruses.  Having a simple way to do this has proved
very effective at slowing outbreaks like Melissa or the love bug.

> Anyway getting to my point, could there also be poisoned list for the
> subject line as well as the from field? (possibly others?)  I know this is

I believe this is overkill.  If you are using John's sanitizer, then
you are already using procmail, which supports things like this with
a very simple, yet powerful syntax.  It doesn't make sense to
complicate the sanitizer until it reimplements procmail within
itself.

Just create a file named "viruses.rc", put it wherever you keep your
procmail rulesets, and make it contain something like this:

  # Uncomment this to save viruses in a different mailbox for each user
  #QUARANTINE=/path/to/quarantine/viruses.$LOGNAME
  # Uncomment this to forward viruses to an admin
  #QUARANTINE=!admins at email.address
  :0
  * Subject: Snowhite and the Seven Dwarfs - The REAL story!
  $QUARANTINE

  :0
  * From:.*hahaha at sexyfun.net
  $QUARANTINE

Then you can include these checks in your /etc/procmailrc of
individual .procmailrc files with a line like this:

  INCLUDERC=/path/to/viruses.rc

... of course, please test this before deploying it globally.  I
wrote it from memory and probably made one or two mistakes.

Just my two cents, hope this helps. :-)

-- 
Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list