FW: [Esd-l] Log statements in the "local" Procmail recipe
Smart, Dan
SmartD at VMCMAIL.com
Tue Oct 29 14:11:00 PST 2002
Classification: PUBLIC
Here's my completed local-rules.procmail recipe. Thanks for the help...
<<Dan>>
==============================================================
## Catch Cytron E-Card worm
:0
* > 110000
{
:0 B
* You Have Received an E-Card
{ LOG="TRAPPED: Cytron E-Card worm"
:0 hfi
| formail -A "X-Content-Security: [${HOST}] NOTIFY" \
-A "X-Content-Security: [${HOST}] QUARANTINE" \
-A "X-Content-Security: [${HOST}] REPORT: Trapped E-Card
worm"
}
}
# Detect Hybris when sent as an anonymous message.
#
:0
* > 20000
* !^Subject:
* !^To:
* ^Content-Type:.*multipart/mixed;
{
:0 B
* 1^1 ^Content-Disposition:.*\.EXE
* 1^1 ^Content-Type:.*\.EXE
{
LOG="TRAPPED: Anonymous Executable (Hybris)"
:0 hfi
| formail -A "X-Content-Security: [${HOST}] NOTIFY" \
-A "X-Content-Security: [${HOST}] QUARANTINE" \
-A "X-Content-Security: [${HOST}] REPORT: Trapped
anonymous executable"
}
}
# Trap SirCam (signature as of 08/01/2001)
#
:0
* > 130000
* ^Content-Type:.*multipart/mixed;
{
:0 B
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
*
AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
{
LOG="TRAPPED: SirCam worm"
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped SirCam
worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.h
tml"
}
}
# Trap BadTrans (signature as of 11/26/2001)
#
:0
* > 40000
* < 50000
* ^Subject: Re:
* ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
{
:0 B
* ^Content-Type: audio/x-wav;
* ^Content-ID: <EA4DMGBP9p>
* ^Content-Transfer-Encoding: base64
{
LOG="TRAPPED: BadTrans worm"
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans
worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.ht
ml"
}
}
# Trap Klez (signature as of 04/26/2002)
# Trap BugBear (signature as of 10/06/2002)
#
:0
* > 50000
* ^Content-Type:.*multipart/alternative;
{
:0 B
* \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
* ^Content-Type:.*audio/
* ^Content-ID:.*<
* ^Content-Transfer-Encoding: base64
* ^TVqQAAMAAAAEAAAA
{
:0
* > 100000
{
LOG="TRAPPED: Probable Klez worm"
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
possible Klez worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
l.html"
}
:0 E
* > 50000
{
LOG="TRAPPED: Probable BugBear worm"
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
possible BugBear worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.remov
al.tool.html"
}
}
:0 B E
* H ?? ^Subject: A( (special|very))?[ ][ ][a-z]
* ^Content-Type:.*application/octet-stream
* ^Content-ID:
* ^Content-Transfer-Encoding: base64
* ^TVqQAAMAAAAEAAAA
{
LOG="TRAPPED: Probable Klez worm"
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped possible
Klez worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
l.html"
}
}
More information about the esd-l
mailing list