[Esd-l] Revised SoBig-F local rule
Peter Warasin
Peter.Warasin at darkrealms.org
Thu Aug 21 03:20:57 PDT 2003
hi
attention. i think this new rule is not correct.
as you see in
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
the new variant does not have .zip files anymore. the attachements are
.pif or .scr files.
the listed files are not compressed in a .zip file!
and then, the line in the body can be:
See the attached file for details or
Please see the attached file for details.
so, the correct rule should look like this:
> :0
> * > 100000
> * < 120000
> * ^Content-Type:.*multipart/mixed;
> {
> :0 B hfi
> * ^ *(Please )?see the attached (zip )?file for details\.?
> * ^Content-Disposition: attachment;
> * ^Content-Transfer-Encoding: base64
> * 9876543210^1 ^Content-(Type|Disposition):.*name *=
> *"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.(zip|pif|scr)"?
> * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
> *"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.(zip|pif|scr)"?
> | formail -A "X-Content-Security: [$HOST] NOTIFY" \
> -A "X-Content-Security: [$HOST] QUARANTINE" \
> -A "X-Content-Security: [$HOST] REPORT: Trapped
> SoBig worm -
> http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"
> }
it's tested and works for me, for the SoBig.F worm... i had no Sobig.E, so
i couldn't test, if it works for it, too.
peter
More information about the esd-l
mailing list