l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2004 Jan 29 04:40

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Spam _bounce_ deluge
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Spam _bounce_ deluge



I use maildrop, so you'd need to do a little work to convert the rules, but I won't even send a full rule, because I want to make sure the message gets through.

(a) I filter out attachments based on name - .exe .scr .pif .cmd and . bat all get a message filed as a virus.

(b) The three full virus names (replace the phoneticized punctuation with the real punctuation) also get a message filed as a virus (because I move viruses and their bounces to the same folder)

WORM*underscore*MIMAIL*dot*R
W32*slash*Mydoom*at*MM
W32*dot*Novarg*dot*A*at*mm

As a general principle, you can take advantage of the fact that a virus checker will give you the full name of the virus (which will specifiy which platform it runs on and which variant the virus is) while humans will only pass on the species name, beause the rest of the stuff is implied.

There is one checker that doesn't do this - it just says it detected dangerous code. But it does tell me its name. This checker is: RAV*space*AntiVirus and it also gets shunted aside as relating to a virus.

(To assist this strategy, since I haven't gotten any viruses (or spam) claiming to be from LUGOD yet, or from any of my other mailing lists, so I filter the mailing lists first. Then I filter for viruses. Then I filter for spam. Anything that's left over goes into my inbox.)

On 2004.01.28 15:54, Bill Kendrick wrote:

Does anyone have a procmail recipe to filter bounces from the latest
MS viruses? My inbox is pretty clean lately, since I'm finally having
procmail move mailing list traffic into various other boxes, so I can
peruse them more easily.

However, while I'm not getting much of the MyDoom virus ITSELF, I'm
getting a lot of bounces (for non-existant addresses that someone's
machine is mailing to, and forging my address in the From line) and
alerts from st00pid virus scanners ("You sent a virus!") that are fooled
by forged headers.

I'd love to have these all drop into some junk folder for me to delete
en-masse at the end of the day (checking for any false-positives, of course)


Thx!

-bill!
bill@newbreedsoftware.com "Hey Shatner, ya remember that episode of
http://newbreedsoftware.com/bill/ Space Trek where your show got cancelled?"
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org

--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG *please* see me about signing the key. ***** My computer can't give you viruses by email. ***

Attachment: pgp00015.pgp
Description: PGP signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!