[Esd-l] SoBig.F backscatter trap
Brett Glass
brett at lariat.org
Fri Aug 22 10:25:34 PDT 2003
One of the problems we're having with SoBig.F is not the worm itself (which is being trapped) but rejection notices that arrive when the worm forges the "From:" address and sends to a nonexistent address (or sends a message that hits a virus checker). I have some clients who are running John's sanitizer and have come up with the following local rule to catch a lot of the backscatter:
# Trap backscatter from SoBig.F
#
:0 hfi
* ^Subject: Undeliverable: *(Re: *)*(Approved|Details|(My|Your) details|That movie|Thank you\!|Wicked screensaver|Your application)
* ^FROM_MAILER
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig.F backscatter"
Of course, you can do "NONOTIFY" to delete it without generating notifications.
Comments? Suggested improvements?
--Brett
More information about the esd-l
mailing list