[Esa-l] SoBig local rule
Sergey Latkin
slatkin at phg.com
Wed Aug 20 06:39:22 PDT 2003
# Sobig.f signature
:0
* > 100000
* < 130000
* ^Content-Type:.*multipart/mixed;
* ^X-MailScanner: Found to be clean
{
:0 B hfi
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 987654321^1 ^Content-(Type|Disposition):.*name *=
*"?(your_details|application|document.*|movie0045|wicked_scr|your_document|thank_you)\.(pif|scr)"?
* 987654321^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(your_details|application|document.*|movie0045|wicked_scr|your_document|thank_you)\.(pif|scr)"?
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig
variant worm - http://securityresponse.symantec.com/"
}
On Thursday June 26 2003 18:13, John D. Hardin wrote:
> # Trap SoBig (signature as of 06/26/2003)
> #
>
--
Sergey Latkin
Chief Technology Officer
Pinnacle Health Group
1-(800)-492-7771
slatkin at phg.com
http://www.phg.com
More information about the esa-l
mailing list