[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm
John D. Hardin
jhardin at impsec.org
Thu Jun 26 09:56:24 PDT 2003
On Thu, 26 Jun 2003, Smart,Dan wrote:
> John,
> To add a log statement after a header filter command, what should the flags
> be?
>
> The following gives me extraneous flags errors.
>
> # Trap SoBig (signature as of 06/25/2003)
> #
> :0
> * > 100000
> * < 120000
> * ^Content-Type:.*multipart/mixed;
> {
> :0 B hfi
Take off the "hfi" here.
> * ^Please see the attached zip file for details\.
> * ^Content-Disposition: attachment;
> * ^Content-Transfer-Encoding: base64
> * ^Content-(Type|Disposition):.*name *=
> *"?(your_details|application|document|screensaver|movie)\.zip"?
> {
> LOG="TRAPPED: Probable SoBig worm"
> :0 hfi
> | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
> -A "X-Content-Security: [$HOST] QUARANTINE" \
> -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig
> worm - http://securityresponse.symantec.com/av
Close your braces.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad.
-- James Madison, 1799
-----------------------------------------------------------------------
495 days until the Presidential Election
More information about the esd-l
mailing list