Re: Virus Flood to LSM list

From: kentat_private
Date: Wed Sep 03 2003 - 09:47:20 PDT

  • Next message: Mail Delivery Subsystem: "Returned mail: see transcript for details"

    On Tue, Sep 02, 2003 at 09:39:33PM -0700, Crispin Cowan wrote:
    > Not without pissing off a whole lot of other people who would 
    > unsubscribe if we started putting ham-handed filters on the list. I 
    > thought of filtering for the obvious subject lines that Sobig sends, but 
    > the subject lines are too short and generic, so such a filter has a 
    > significant chance of trapping legitimate posts.
    Put the following in /etc/procmailrc (you may have to adjust to your environment, 
    and you may not want to be so aggressive with the extensions):
    :0 B:
    * application/octet-stream.*$.*name="?[-a-zA-Z0-9_.]+\.(ad[ep]|ba[st]|chm|cmd|com|cpl|crtexe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])"?
    Monitor the virus file for a while, when you convince yourself that 
    there are no false positives, changet the last line to "/dev/null".
    I use the above filter on the ianaat_private address -- it is getting
    approximately 35000 virus emails per day.  The above filter had zero
    false positives before I put in the /dev/null.
    Kent Crispin                               "Be good, and you will be
    crispinat_private,kentat_private         lonesome."
    p: +1 310 823 9358  f: +1 310 823 8649               -- Mark Twain
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Sep 03 2003 - 09:47:49 PDT