[Esd-l] Revised SoBig-F local rule
Peter Warasin
Peter.Warasin at darkrealms.org
Thu Aug 21 03:25:44 PDT 2003
hi
sorry, the last mail had quotes in the worm signature.
here is the clean one:
:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
:0 B hfi
* ^(Please )?see the attached (zip )?file for details\.?
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(your_details|application|document|screensaver|movie)[0-9]*\.(zip|pif|scr)"?
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?(your_details|application|document|screensaver|movie)[0-9]*\.(zip|pif|scr)"?
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig
worm -
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"
}
-- peter
More information about the esd-l
mailing list