FW: [Esd-l] Log statements in the "local" Procmail recipe

Tue Oct 29 08:48:01 PST 2002

Classification: PUBLIC

I have attached the updated local recipe.
Its getting multiple extraneous flag errors.

procmail: Extraneous filter-flag ignored
procmail: Extraneous deliver-head flag ignored
procmail: Extraneous ignore-write-error flag ignored

What am I doing wrong?

<<Dan>>

Local-rules.procmail ------------------------------------------
# Detect Hybris when sent as an anonymous message.
#
:0
* > 20000
* !^Subject:
* !^To:
* ^Content-Type:.*multipart/mixed;
{
        :0 B hfi
        * 1^1 ^Content-Disposition:.*\.EXE
        * 1^1 ^Content-Type:.*\.EXE
        {
          LOG="TRAPPED: Anonymous Executable (Hybris)"
        :0
        | formail -A "X-Content-Security: [${HOST}] NOTIFY" \
                  -A "X-Content-Security: [${HOST}] QUARANTINE" \
                  -A "X-Content-Security: [${HOST}] REPORT: Trapped
anonymous executable"
        }
}

# Trap SirCam (signature as of 08/01/2001)
#
:0
* > 130000
* ^Content-Type:.*multipart/mixed;
{
        :0 B hfi
        * ^Content-Disposition: attachment;
        * ^Content-Transfer-Encoding: base64
        *
AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
        {
          LOG="TRAPPED: SirCam worm"
        :0
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped SirCam
worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.h
tml"
        }
}

# Trap BadTrans (signature as of 11/26/2001)
#
:0
* > 40000
* < 50000
* ^Subject: Re:
* ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
{
        :0 B hfi
        * ^Content-Type: audio/x-wav;
        * ^Content-ID: <EA4DMGBP9p>
        * ^Content-Transfer-Encoding: base64
        {
          LOG="TRAPPED: BadTrans worm"
        :0
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans
worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.ht
ml"
        }
}

# Trap Klez (signature as of 04/26/2002)
# Trap BugBear (signature as of 10/06/2002)
#
:0
* > 50000
* ^Content-Type:.*multipart/alternative;
{
        :0 B
        * \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
        * ^Content-Type:.*audio/
        * ^Content-ID:.*<
        * ^Content-Transfer-Encoding: base64
        * ^TVqQAAMAAAAEAAAA
        {
                :0 hfi
                * > 100000
                {
                  LOG="TRAPPED: Probable Klez worm"
                :0
                | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                          -A "X-Content-Security: [$HOST] DISCARD" \
                          -A "X-Content-Security: [$HOST] REPORT: Trapped
possible Klez worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
l.html"
                }
                :0 E hfi
                * > 50000
                {
                  LOG="TRAPPED: Probable BugBear worm"
                :0
                | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                          -A "X-Content-Security: [$HOST] DISCARD" \
                          -A "X-Content-Security: [$HOST] REPORT: Trapped
possible BugBear worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.remov
al.tool.html"
                }
        }

        :0 B E hfi
        * H ?? ^Subject: A( (special|very))?[ ][ ][a-z]
        * ^Content-Type:.*application/octet-stream
        * ^Content-ID:
        * ^Content-Transfer-Encoding: base64
        * ^TVqQAAMAAAAEAAAA
        {
          LOG="TRAPPED: Probable Klez worm"
        :0
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped possible
Klez worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
l.html"
        }
}

|-----Original Message-----
|From: John D. Hardin [mailto:jhardin at impsec.org] 
|Sent: Friday, October 25, 2002 9:54 PM
|To: Smart, Dan
|Subject: Re: FW: [Esd-l] Log statements in the "local" Procmail recipe
|
|
|On Fri, 25 Oct 2002, Smart, Dan wrote:
|
|Multiple actions MUST go in brace pairs.
|
|You may have zero tests, e.g.:
|
|   :0
|   action
|
|So,
|
|  :0
|  * rules
|  {
|     LOG="whatever"
|
|     :0
|     ACTION
|  }
|
|--
| John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
| jhardin at impsec.org                        pgpk -a jhardin at impsec.org
| key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
|-----------------------------------------------------------------------
|  ...the Fates notice those who buy chainsaws...
|                                              -- www.darwinawards.com
|-----------------------------------------------------------------------
|   54 days until The Two Towers
|