[Esd-l] Badtrans signature for local-rules
Howard Lowndes
lannet at lannet.com.au
Mon Nov 26 13:23:00 PST 2001
I'm confused.
If I am already trapping double extensions using the sanitizer then
haven't I already secured myself. Why this extra selection?
On Mon, 26 Nov 2001, John D. Hardin wrote:
> Okay, here is the final local-rules ruleset for detecting and
> quarantining badtrans. I'll add it to the website later today.
>
> If you're not using the sanitizer, modify the action section
> appropriately.
>
> Beware line-wrap.
>
>
>
> # Trap BadTrans? (signature as of 11/26/2001)
> #
> :0
> * > 40000
> * < 50000
> * ^Subject:.*Re:
> * ^Content-Type:.*multipart/related;.*"multipart/alternative";.*boundary="====_ABC1234567890DEF_===="
> {
> :0 B hfi
> * ^Content-Type: audio/x-wav;
> * ^Content-ID: <EA4DMGBP9p>
> * ^Content-Transfer-Encoding: base64
> | formail -A "X-Content-Security: [$HOST] NOTIFY" \
> -A "X-Content-Security: [$HOST] QUARANTINE" \
> -A "X-Content-Security: [$HOST] REPORT: Trapped
> BadTrans worm - see
> http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html"
> }
>
>
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin at impsec.org pgpk -a jhardin at wolfenet.com
> 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
> 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> In 1998 more than three times as many people in the US were killed
> by incompetent physicians than were killed by handguns, yet the
> President of the A.M.A. is adopting "gun safety" as his platform.
> -----------------------------------------------------------------------
> 1072 days until the Presidential Election
>
> ---------- Forwarded message ----------
> Date: Mon, 26 Nov 2001 11:17:51 -0800
> From: Procmail Security daemon <postmaster at impsec.org>
> To: jhardin at hq.impsec.org
> Subject: SECURITY WARNING - possible email attack
>
> REPORT: Trapped BadTrans worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html
> REPORT: Not a document, or already poisoned by filename. Not scanned for macros.
> STATUS: Message quarantined in /var/spool/mail/security, not delivered to recipient.
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>
--
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
"We are either doing something, or we are not.
'Talking about' is a subset of 'not'."
More information about the esd-l
mailing list