[Esd-l] Revised SoBig-F local rule

John D. Hardin jhardin at impsec.org
Wed Aug 20 21:02:12 PDT 2003 

Here's a revised rule based on the new SoBig-F variant's published
details. It's a little more general than the one posted earlier.

This is included in the sample local-rules file:

	http://www.impsec.org/email-tools/local-rules.procmail

-------------------

# Trap SoBig (signature as of 08/19/2003)
#
# New Attachments:
#
#    * application.zip (contains application.pif)
#    * details.zip (contains details.pif)
#    * document_9446.zip (contains document_9446.pif)
#    * document_all.zip (contains document_all.pif)
#    * movie0045.zip (contains movie0045.pif)
#    * thank_you.zip (contains thank_you.pif)
#    * your_details.zip (contains your_details.pif)
#    * your_document.zip (contains your_document.pif)
#    * wicked_scr.zip (contains wicked_scr.scr)
#
:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
        :0 B hfi
        * ^ *(Please )?see the attached (zip )file for details\.
        * ^Content-Disposition: attachment;
        * ^Content-Transfer-Encoding: base64
        * 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.zip"?
        * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.zip"?
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] QUARANTINE" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped
SoBig worm -
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"
}
                                                                                                                   



--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   73 days until Matrix Revolutions

More information about the esd-l mailing list