[Esd-l] NONOTIFY not honored
Smart,Dan
SmartD at VMCMAIL.com
Fri Jan 30 07:44:35 PST 2004
For some reason, I've set NONOTIFY in my local-rules but html-trap sends
notifications anyway. Here's snippets:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
=== local-rules ===
:0HB
* ^Content-Type[
]*:.*(application|audio|multipart|mixed|alternative|partial)
* name[ ]*[*]?[ ]*=.*\.[
]*(bat|pif|cmd|vb[as]|scr|lnk|com|exe|chm|\{[-0-9a-f]+\})(\.....?)?"?
[ ]*$
* ^Content-Transfer-Encoding[ ]*:.*(base64|quoted-printable)
{
##
###### START-OF-TVqQAAM-FAMILY ######
:0BD
* ^TVqQAAM
{
#Novarg (MyDoom)
:0BD
* -800^0
#Novarg unpacked
* 200^0 gAsAAIA
* 200^0 Qbya4z/
* 200^0 WKyxNTc
* 200^0 xz9PyLY
* 200^0 2Zjo9Vd
#Novarg upx
* 200^0 0KJ3Tyo
* 200^0 3/ZH\+Ur
* 200^0 D/////8
* 200^0 Tlze1i2
* 200^0 88KUaUE
{
LOG="---=== WORM-MyDoom $DATE ===---${NL}"
:0 hfi
| formail -A "X-Content-Security: [$HOST] NONOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped MyDoom Worm"
}
}
}
===== End local-rules snippet ======
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
==== In procmail log =====
---=== WORM-MyDoom Fri Jan 30 09:37:56 2004 ===---
>From sales at fedmarket.com Fri Jan 30 09:37:56 2004
Subject: Server Report
Folder: /var/spool/procmail/msglog
736
NOTIFY SENDER
>From sales at fedmarket.com Fri Jan 30 09:37:56 2004
Subject: Server Report
Folder: ( \ formail -r \ -I "From: \"Pr
736
NOTIFY RECIPIENT
>From sales at fedmarket.com Fri Jan 30 09:37:56 2004
Subject: Server Report
Folder: ( \ echo "To: <$LOGNAME>";\ echo 'From:
736
==== End procmail.log snippet =======
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
==== What NOTIFY SENDER gets =======
> Regarding your message to
> <matt at vmcmail.com>
>
> ***** ACTIVE VIRUS ALERT / DANGEROUS ATTACHMENT *****
>
> Due to an active NAI virus alert, level 3-4 viral attack,
> Vulcan is currently under special operation conditions.
>
> We currently cannot accept any .ZIP files, as well as other
> dangerous attachments including EXE,SCR,SCT,PIF,LNK,BAT,CHM,
> HLP,SHB,SHS,VB*,WS*,NWS,HTA,REG,JS*
>
> If you do not know why you received this notice, it is
> possible that your computer has been infected by a virus,
> or your E-mail address has been used as the return address
> by a virus attacking someone else's computer. Be sure to scan
> your computer with the latest anti-virus (updated today) to
> ensure you are not infected.
>
> .ZIP files will be allowed again as soon as the current virus
> attach has been downgraded. The other dangerous attachment
> types are NEVER allowed. Please check
> http://vil.nai.com/vil/content/alert.htm
> for the end of the current virus alert.
>
> Dan Smart
> Enterprise Security Specialist
> Vulcan Materials Company
> security at vul.com
>
> REPORT: Trapped MyDoom Worm
> REPORT: Not a document, or already poisoned by filename. Not scanned for
macros.
> STATUS: Message quarantined, not delivered to recipient.
>
> Headers from message:
>
> > From register at w3pg.com Thu Jan 29 06:34:48 2004
> > Return-Path: <register at w3pg.com>
> > Received: from w3pg.com (unknown [130.160.235.240])
> > by lewis.vul.com (Vulcan E-mail Relay) with ESMTP id 73A2C9BB78
> > for <matt at vmcmail.com>; Thu, 29 Jan 2004 06:34:47 -0600 (CST)
> > From: register at w3pg.com
> > To: matt at vmcmail.com
> > Subject: TEST
> > Date: Thu, 29 Jan 2004 06:35:03 -0600
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_0011_B85C35E8.BECE31E0"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > Message-Id: <20040129123447.73A2C9BB78 at lewis.vul.com>
> > X-Content-Security: [lewis] NONOTIFY
> > X-Content-Security: [lewis] QUARANTINE
> > X-Content-Security: [lewis] REPORT: Trapped MyDoom Worm
>
>
> --
> Message sanitized on lewis
> See http://www.impsec.org/email-tools/sanitizer-intro.html for details.
>
==== End Email Snippet =====
<<Dan>>
More information about the esd-l
mailing list