[Esd-l] NONOTIFY not honored

Smart,Dan SmartD at VMCMAIL.com
Fri Jan 30 15:16:28 PST 2004 

I clean up my local-rules file with no notify line, but it is still
notifying...

===== snip log ======
---=== WORM-MyDoom Fri Jan 30 17:09:58 2004 ===---
>From sandra at tc.fluke.com  Fri Jan 30 17:09:59 2004
 Subject: Status
  Folder: /var/spool/procmail/msglog
657

 NOTIFY ADMIN (root at localhost)
>From sandra at tc.fluke.com  Fri Jan 30 17:09:59 2004
 Subject: Status
  Folder:  ( \       echo "To: $SECURITY_NOTIFY";\              echo '
657

 NOTIFY SENDER
>From sandra at tc.fluke.com  Fri Jan 30 17:09:59 2004
 Subject: Status
  Folder:  ( \           formail -r \                   -I "From: \"Pr
657

 NOTIFY RECIPIENT
>From sandra at tc.fluke.com  Fri Jan 30 17:09:59 2004
 Subject: Status
  Folder:  ( \           echo "To: <$LOGNAME>";\           echo 'From:
657

==== end log snip =====

Any other suggestions?

<<Dan>>

===== snip of procmail config =======

## Leave variable blank to turn off!
POISONED_EXECUTABLES=${BINDIR}/poisoned
STRIPPED_EXECUTABLES=${BINDIR}/stripped
SECURITY_POISON_WINEXE=YES  ##Check attachments for Windows Executable magic
strings and poison if found
DISABLE_MACRO_CHECK=YES  ##Disable scanning of MS Office file attachments
POISONED_SCORE=  ##Macro Scanner score to consider the attachment poisoned
SCORE_HISTORY=  ##Where to log macro scanner scores
SCORE_DETAILS=  ##How was the macro score calculated
SCORE_ONLY=  ##Only scan for scoring, do not poison based on score
SECURITY_OFFICE_EMBED_SCORE=  ##Score to assign embedded files and URLS
SECURITY_QUARANTINE=/dev/null  ##Where to save poisoned messages
SECURITY_QUARANTINE_OPTIONAL=  ##If quarantine of a message fails, don't
bounce it
SECURITY_QUARANTINE_LOCKFILE=  ##Use of a non-default lockfile when writing
to the quarantine
SECURITY_NOTIFY="root at localhost"  ##Who to notify if an attack is detected
SECURITY_NOTIFY_VERBOSE=  ## Who to notify verbosely if an attack is
detected
SECURITY_NOTIFY_SENDER=${BINDIR}/poisoned-sender.txt  ## Should the sender
of the attack message be notified
SECURITY_NOTIFY_SENDER_POSTMASTER=  ## Should the postmaster of the senders
domain be notified?
SECURITY_NOTIFY_SENDER_ABUSE=  ## Should abuse@ at the sender's domain be
notified?
SECURITY_DISABLE_SMART_REPLY=  ## Should Smart Reply Suppression be
disabled?
SECURITY_LOCAL_POSTMASTER=abuse at vul.com  ## Override the from address on
notification messages
SECURITY_NOTIFY_RECIPIENT=${BINDIR}/poisoned-recipient.txt  ## Should the
intended recipient be notified?
## McAfee HotFix 8 for WebShield now scans MS-TNEF.  Will now allow MSTNEF
through filter.  DJS 11-19-03
#SECURITY_STRIP_MSTNEF=YES  ## Strip MS-TNEF attachments completely
SECURITY_STRIP_MSTNEF=  ## Do not strip MS-TNEF attachments completely
POISONED_WARNING= ## Non default txt when attachments are poisoned
TNEF_WARNING=  ## Non default text when MS-TNEF is stripped
SECURITY_DEFANG_SIGNED=  ## defang signed messages
SECURITY_TRUST_HTML=  ## Trust HTML code in messages
DEFANG_WEBBUGS=  ## Enable inline images and sounds defanging
SECURITY_TRUST_STYLE_TAGS=  ## Disable style tag defanging
SECURITY_NONOTIFY_LONGSUBJECT=YES  ## Don't notify on excessively long
subjects
SECRET="Secret"  ## Random characters used for looping
SECURITY_MSGID_LOG="/var/log/poisoned.log"  ## Log poisoned message IDs,
make 666

===== end procmailrc snip =====


 

| -----Original Message-----
| From: John D. Hardin [mailto:jhardin at impsec.org] 
| Sent: Friday, January 30, 2004 12:59 PM
| To: Smart,Dan
| Cc: esd-l at spconnect.com
| Subject: Re: [Esd-l] NONOTIFY not honored
| 
| On Fri, 30 Jan 2004, Smart,Dan wrote:
| 
| > For some reason, I've set NONOTIFY in my local-rules but html-trap 
| > sends notifications anyway.
| 
| NONOTIFY just means "don't bug the admin". Take out the 
| NOTIFY line completely to shut it up completely...
| 
| > {
| >   LOG="---=== WORM-MyDoom $DATE ===---${NL}"
| >   :0 hfi
| >   | formail -A "X-Content-Security: [$HOST] QUARANTINE" \
| >             -A "X-Content-Security: [$HOST] REPORT: Trapped 
| MyDoom Worm"
| >   }
| 
| --
|  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
|  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
|  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
| --------------------------------------------------------------
| ---------
|   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
|   does quite what I want. I wish Christopher Robin was here."
| 				-- Peter da Silva in a.s.r
| --------------------------------------------------------------
| ---------
|    64 days until the Slovakian Presidential Election
|

More information about the esd-l mailing list