Mailing List Archive

Hi Dan,

Here is what I whipped up this morning

header __YM_HF_BEAGLE_K From =~
/(?:management|administration|staff|noreply|support)\@(?:yourdomain1|you
rdomain2|yourdomain3)/i
body __YM_B_BEAGLE_K /^(?:dear|hello) user/i
meta YM_BEAGLE_K (__YM_HF_BEAGLE_K && __YM_B_BEAGLE_K)
describe YM_BEAGLE_K Message contains the "Bagle.K/Beagle.K" virus
tflags YM_BEAGLE_K learn
score YM_BEAGLE_K 20.0

I think this should work for .J as well.

NOTE: SA is not a replacement for AV, this rule was written to cut down
on the flood of questions from users as to what these messages meant and
why there was a text file in the email stating that the zip file was
removed.

-matt

________________________________

From: Dan Spray [mailto:danslists@conpoint.com]
Sent: Wednesday, March 03, 2004 11:22 AM
To: spamassassin-users@incubator.apache.org
Subject: New Beagle.J virus problems



Hello all,



I am sure that some or all of you have seen the effects of the
new Beagle.J virus. My question is, how do I blacklist the from address
when it is my own domain? For example, they show that they are coming
from administration@conpoint.com. This account doesn't even exist. How
do I blacklist messages coming from the account?



Thanks,


Dan



--
Dan Spray, Director of Internet Operations dan@conpoint.com
<BLOCKED::mailto:dan@conpoint.com> Connecting Point Norfolk, NE
<http://www.conpoint.com/ <BLOCKED::http://www.conpoint.com/> >
Voice - 402.844.2308 Fax - 402.371.4515

"The porcupine with the sharpest quills gets stuck on a tree
more often."

--

> Here is what I whipped up this morning
>
> header __YM_HF_BEAGLE_K From =~
> /(?:management|administration|staff|noreply|support)\@(?:yourd
> omain1|you
> rdomain2|yourdomain3)/i
> body __YM_B_BEAGLE_K /^(?:dear|hello) user/i
> meta YM_BEAGLE_K (__YM_HF_BEAGLE_K && __YM_B_BEAGLE_K)
> describe YM_BEAGLE_K Message contains the "Bagle.K/Beagle.K" virus
> tflags YM_BEAGLE_K learn
> score YM_BEAGLE_K 20.0

This doesn't work for me since some of the accounts it comes from are
valid. It does contain a message-id with 11 lower case letters followed
by my domain name, but I've been having difficulty in actually making
the regex match. Shouldn't this work?

/^Message-I[Dd]: <[a-z]{19}\@wcg.org>$/

Bret

> -----Original Message-----
> From: Bret Miller [mailto:bret.miller@wcg.org]
> Sent: Wednesday, March 03, 2004 12:35 PM
> To: spamassassin-users@incubator.apache.org
> Subject: RE: New Beagle.J virus problems
>
> > Here is what I whipped up this morning
> >
> > header __YM_HF_BEAGLE_K From =~
> > /(?:management|administration|staff|noreply|support)\@(?:yourd
> > omain1|you
> > rdomain2|yourdomain3)/i
> > body __YM_B_BEAGLE_K /^(?:dear|hello) user/i
> > meta YM_BEAGLE_K (__YM_HF_BEAGLE_K && __YM_B_BEAGLE_K)
> > describe YM_BEAGLE_K Message contains the "Bagle.K/Beagle.K" virus
> > tflags YM_BEAGLE_K learn
> > score YM_BEAGLE_K 20.0
>
> This doesn't work for me since some of the accounts it comes from are
> valid. It does contain a message-id with 11 lower case
> letters followed
> by my domain name, but I've been having difficulty in actually making
> the regex match. Shouldn't this work?
>
> /^Message-I[Dd]: <[a-z]{19}\@wcg.org>$/
>
> Bret
>
>

Bret,
What are the chances that the folks using the mentioned addresses would
greet folks by saying "Dear user or Hello user"? Also you could add
another meta test that examines the subject line and looks for the
following items:
E-mail account disabling warning.
E-mail account security warning.
Email account utilization warning.
Important notify about your e-mail account.
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Warning about your e-mail account.

I think the message id regex you are looking for would be in this
format:
header TESTNAME Message-ID =~ /[a-z]{11}\@wcg.org/I

But I would be careful of false positives running that alone, but it
should be ok, if you combine it in a meta test along with the from
address or subject or body test.

-matt

On Wed, 3 Mar 2004, Yackley, Matt <Matt.Yackley@perkinswill.com> wrote:

> Also you could add another meta test that examines the subject line and
> looks for the following items:
>
> E-mail account disabling warning.
> E-mail account security warning.
> Email account utilization warning.
> Important notify about your e-mail account.
> Notify about using the e-mail account.
> Notify about your e-mail account utilization.
> Warning about your e-mail account.

header BAGLEJ_SUBJECT Subject =~ /[Ee]-?mail\saccount/

should do it (not tested).

--
Brent J. Nordquist <b-nordquist@bethel.edu> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html

For what it's worth, I append my contribution to the matter below my
signature. I do hope folks will let me know if they see any problems
with it. Thanks to Matt and Bret for the content I took from their
discussion ...

Folks will of course want to adjust the domain-specific portions ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst / Postmaster Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

# 2004/03/03 Sylvain Robitaille: trap Bagle variants. Based on
# discussion in spamassassin-users mailing list; specifically
# contributions by "Yackley, Matt" <Matt.Yackley@perkinswill.com>
# and "Bret Miller" <bret.miller@wcg.org>

header __CONCORDIA_BAGLE_FROM From =~ /(?:abuse|management|administration|staff|noreply|support)\@concordia\.ca/
body __CONCORDIA_BAGLE_GREETING /^(?:dear|hello)\s+user/i

header __CONCORDIA_BAGLE_MSGID Message-ID =~ /[a-z]{11,19}\@concordia.ca/
describe __CONCORDIA_BAGLE_MSGID Message-ID in format used by Bagle variants

rawbody __CONCORDIA_ATTACH /^Content-Type: application/octet-stream; name=".+\.(pif|zip)"$/
describe __CONCORDIA_ATTACH Message contains suspicious attachment.
# NOTE that this might be worth using in other contexts, but for now I'm
# including only those I've seen with this particular virus.

body __CONCORDIA_BAGLE_REGARDS /^(?:kind regards|sincerely/i
describe __CONCORDIA_BAGLE_REGARDS Bagle variant closing

# This might be useful to catch these in a site-agnostic way:
meta T_CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_GREETING && __CONCORDIA_ATTACH && __CONCORDIA_BAGLE_REGARDS)
meta CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_FROM && __CONCORDIA_BAGLE_GREETING && __CONCORDIA_BAGLE_MSGID && __CONCORDIA_ATTACH && __CONCORDIA_BAGLE_REGARDS)
describe CONCORDIA_BAGLE_VARIANT Message contains a variant of the "Bagle/Beagle" virus
score CONCORDIA_BAGLE_VARIANT 20.0

On Wed, 3 Mar 2004, Sylvain Robitaille wrote:

> For what it's worth, I append my contribution to the matter below my
> signature. I do hope folks will let me know if they see any problems
> with it. ...

Gah! This is what I get for reading the thing *after* I already sent
it!

Patch appended ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst / Postmaster Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

--- 90_bagle.cf Wed Mar 3 14:29:54 2004
+++ 90_bagle.cf.NEW Wed Mar 3 14:36:23 2004
@@ -7,10 +7,10 @@
header __CONCORDIA_BAGLE_FROM From =~ /(?:abuse|management|administration|staff|noreply|support)\@concordia\.ca/
body __CONCORDIA_BAGLE_GREETING /^(?:dear|hello)\s+user/i

-header __CONCORDIA_BAGLE_MSGID Message-ID =~ /[a-z]{11,19}\@concordia.ca/
+header __CONCORDIA_BAGLE_MSGID Message-ID =~ /[a-z]{11,19}\@concordia\.ca/
describe __CONCORDIA_BAGLE_MSGID Message-ID in format used by Bagle variants

-rawbody __CONCORDIA_ATTACH /^Content-Type: application/octet-stream; name=".+\.(pif|zip)"$/
+rawbody __CONCORDIA_ATTACH /^Content-Type: application\/octet-stream; name=".+\.(pif|zip)"$/
describe __CONCORDIA_ATTACH Message contains suspicious attachment.
# NOTE that this might be worth using in other contexts, but for now I'm
# including only those I've seen with this particular virus.

>
> From: Dan Spray [mailto:danslists@conpoint.com]
> Sent: Wednesday, March 03, 2004 11:22 AM
> To: spamassassin-users@incubator.apache.org
> Subject: New Beagle.J virus problems
>
>
>
> Hello all,
>
>
>
> I am sure that some or all of you have seen the effects of the
> new Beagle.J virus. My question is, how do I blacklist the from address
> when it is my own domain? For example, they show that they are coming
> from administration@conpoint.com. This account doesn't even exist. How
> do I blacklist messages coming from the account?
>
>
>
> Thanks,
>
>
> Dan
>
>
>
> --
> Dan Spray, Director of Internet Operations dan@conpoint.com
> <BLOCKED::mailto:dan@conpoint.com> Connecting Point Norfolk, NE
> <http://www.conpoint.com/ <BLOCKED::http://www.conpoint.com/> >
> Voice - 402.844.2308 Fax - 402.371.4515
>
> "The porcupine with the sharpest quills gets stuck on a tree
> more often."
>

The Beagle viruses all seem to have an odd boundary we've been able to nab
with procmail:
:0BHh:
*
boundary=\"--------[a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a
-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z]\"
* filename=.*\.(zip|pif)
/beagle

I'm sure this could easily be modified to an SA rule, maybe something like
rawbody __BEAGLE_VIRUS_BOUND /boundary=\"-{8}[a-z]{20}\"/
rawbody __EXECUTABLE_ATTACH /filename=.*(zip|pif)/
meta BEAGLE_VIRUS (__BEAGLE_VIRUS_BOUND && __EXECUTABLE_ATTACH)

Sandy

On Wed, 3 Mar 2004, Mike Schrauder wrote:

> body __CONCORDIA_BAGLE_REGARDS /^(?:kind regards|sincerely/i
> should be
> body __CONCORDIA_BAGLE_REGARDS /^(?:kind regards|sincerely)/i
> no?

Yes! Thank you! (I'm still getting around to installing this locally,
so I would have caught that, but now I won't have to!)

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst / Postmaster Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Alright, let me try this again ... I received a suggestion that it
might not be a bad idea to resend my file, with all corrections (so
far!). I hope folks won't mind ... (see appended)

Note also that I've added Brent Nordquist's subject test ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

# 2004/03/03 Sylvain Robitaille: trap Bagle variants. Based on
# discussion in spamassassin-users mailing list; specifically
# contributions by "Yackley, Matt" <Matt.Yackley@perkinswill.com>
# "Bret Miller" <bret.miller@wcg.org> and Brent J. Nordquist
# <b-nordquist@bethel.edu>

header __CONCORDIA_BAGLE_FROM From =~ /(?:abuse|management|administration|staff|noreply|support)\@concordia\.ca/
body __CONCORDIA_BAGLE_GREETING /^(?:dear|hello)\s+user/i

header __CONCORDIA_BAGLE_MSGID Message-ID =~ /[a-z]{11,19}\@concordia\.ca/
describe __CONCORDIA_BAGLE_MSGID Message-ID in format used by Bagle variants

rawbody __CONCORDIA_ATTACH /^Content-Type: application\/octet-stream; name=".+\.(pif|zip)"$/
describe __CONCORDIA_ATTACH Message contains suspicious attachment.
# NOTE that this might be worth using in other contexts, but for now I'm
# including only those I've seen with this particular virus.

body __CONCORDIA_BAGLE_REGARDS /^(?:kind regards|sincerely)/i
describe __CONCORDIA_BAGLE_REGARDS Bagle variant closing

header __CONCORDIA_BAGLE_SUBJECT Subject =~ /e-?mail\s+account/i
describe __CONCORDIA_BAGLE_SUBJECT Bagle variant subject

# This might be useful to catch these in a site-agnostic way:
meta T_CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_GREETING && __CONCORDIA_ATTACH && __CONCORDIA_BAGLE_REGARDS && __CONCORDIA_BAGLE_SUBJECT)

meta CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_FROM && __CONCORDIA_BAGLE_GREETING && __CONCORDIA_BAGLE_MSGID && __CONCORDIA_ATTACH && __CONCORDIA_BAGLE_REGARDS && __CONCORDIA_BAGLE_SUBJECT)
describe CONCORDIA_BAGLE_VARIANT Message contains a variant of the "Bagle/Beagle" virus
score CONCORDIA_BAGLE_VARIANT 20.0

Another update, of course with apologies ...

Rick Mallett of Carleton University sent in a suggestion that I could
not hesitate to add ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

# 2004/03/03 Sylvain Robitaille: trap Bagle variants. Based on
# discussion in spamassassin-users mailing list; specifically
# contributions by "Yackley, Matt" <Matt.Yackley@perkinswill.com>
# "Bret Miller" <bret.miller@wcg.org>, Brent J. Nordquist
# <b-nordquist@bethel.edu>, and Rick Mallett
# <rmallett@ccs.carleton.ca>

header __CONCORDIA_BAGLE_FROM From =~ /(?:abuse|management|administration|staff|noreply|support)\@(?:.*\.)?concordia\.ca/
body __CONCORDIA_BAGLE_GREETING /^(?:dear|hello)\s+user/i

header __CONCORDIA_BAGLE_MSGID Message-ID =~ /[a-z]{11,19}\@concordia\.ca/
describe __CONCORDIA_BAGLE_MSGID Message-ID in format used by Bagle variants

rawbody __CONCORDIA_ATTACH /^Content-Type: application\/octet-stream; name=".+\.(pif|zip)"$/
describe __CONCORDIA_ATTACH Message contains suspicious attachment.
# NOTE that this might be worth using in other contexts, but for now I'm
# including only those I've seen with this particular virus.

body __CONCORDIA_BAGLE_REGARDS /^(?:kind regards|sincerely)/i
describe __CONCORDIA_BAGLE_REGARDS Bagle variant closing

header __CONCORDIA_BAGLE_SUBJECT Subject =~ /e-?mail\s+account/i
describe __CONCORDIA_BAGLE_SUBJECT Bagle variant subject

# This might be useful to catch these in a site-agnostic way:
meta T_CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_GREETING && __CONCORDIA_ATTACH && __CONCORDIA_BAGLE_REGARDS && __CONCORDIA_BAGLE_SUBJECT)
meta CONCORDIA_BAGLE_VARIANT (__CONCORDIA_BAGLE_FROM && __CONCORDIA_BAGLE_GREETING && __CONCORDIA_BAGLE_MSGID && __CONCORDIA_ATTACH && __CONCORDIA_BAGLE_REGARDS && __CONCORDIA_BAGLE_SUBJECT)
describe CONCORDIA_BAGLE_VARIANT Message contains a variant of the "Bagle/Beagle" virus
score CONCORDIA_BAGLE_VARIANT 20.0

On Wed, Mar 03, 2004 at 04:10:24PM -0500, Sylvain Robitaille wrote:
>
> Another update, of course with apologies ...

I'm having a problem getting this working...

> rawbody __CONCORDIA_ATTACH /^Content-Type: application\/octet-stream; name=".+\.(pif|zip)"$/

For some reason this not matching my test mail (quoted here to avoid
tripping things up too much).

| ----------ubljxhceccimkkfqbygn
| Content-Type: application/octet-stream; name="Info.zip"
| Content-Transfer-Encoding: base64
| Content-Disposition: attachment; filename="Info.zip"

Is 'rawbody' the right search for this? Or is it 'full'?

The 'raw body' of a message is the text, including all textual parts.

The 'full body' of a message is the un-decoded text, including all parts
(including images or other attachments).

That would imply 'full' to me... or is there something more obvious I'm
missing...

--
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g;

header BEAGLE_FAKE_FROM From =~ /administration\@conpoint\.com/
describe BEAGLE_FAKE_FROM From an account that doesn't exist here
score BEAGLE_FAKE_FROM 50

Loren
----- Original Message -----
From: Dan Spray
To: spamassassin-users@incubator.apache.org
Sent: Wednesday, March 03, 2004 9:22 AM
Subject: New Beagle.J virus problems


Hello all,



I am sure that some or all of you have seen the effects of the new Beagle.J virus. My question is, how do I blacklist the from address when it is my own domain? For example, they show that they are coming from administration@conpoint.com. This account doesn't even exist. How do I blacklist messages coming from the account?



Thanks,


Dan



--
Dan Spray, Director of Internet Operations dan@conpoint.com Connecting Point Norfolk, NE <http://www.conpoint.com/>
Voice - 402.844.2308 Fax - 402.371.4515

"The porcupine with the sharpest quills gets stuck on a tree more often."

--

On Wed, 3 Mar 2004, brian moore wrote:

> Is 'rawbody' the right search for this? Or is it 'full'?

Considering that I haven't caught a single copy with the rules as I
posted (with "rawbody" on that test), I'd have to say that 'rawbody'
isn't right. I'm going to switch to 'full' and let that run overnight.

Thanks for trying this out, and for finding this flaw ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

On Wed, 3 Mar 2004, Loren Wilton wrote:

> header BEAGLE_FAKE_FROM From =~ /administration\@conpoint\.com/
> describe BEAGLE_FAKE_FROM From an account that doesn't exist here
> score BEAGLE_FAKE_FROM 50

If my current attempts to catch on the content, preferably in a
site-independant manner, continue to fail, I may resort to something
this simple ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst / Postmaster Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

I was waaay behind on my reading when I posted that. Your current (or last
posted) attempt using full instead of rawbody should basically do it, modulo
any minor bugs there may be in the code. (I am lucky enough to not have any
of these to test it with! ;-)

Loren

> From: "Sylvain Robitaille" <syl@alcor.concordia.ca>
> On Wed, 3 Mar 2004, Loren Wilton wrote:
>
> > header BEAGLE_FAKE_FROM From =~ /administration\@conpoint\.com/
> > describe BEAGLE_FAKE_FROM From an account that doesn't exist here
> > score BEAGLE_FAKE_FROM 50
>
> If my current attempts to catch on the content, preferably in a
> site-independant manner, continue to fail, I may resort to something
> this simple ...

Now back to writing a test for the latest viarga spam that slipped
through...

This rule catches all of the Beagle variants seen so far:

header MIME_BOUND_BEAGLE Content-Type =~ /^multipart\/mixed; +boundary="--------([0-9]{15}|[a-z]{20})"$/
describe MIME_BOUND_BEAGLE Beagle worm pattern in MIME boundary
score MIME_BOUND_BEAGLE 150

Since it looks only at the header it won't catch the bounces you get
when your e-mail address is forged as the sender, but those are rare
in my experience.

:: Jeff Makey
jeff@sdsc.edu

On Wed, 3 Mar 2004, Loren Wilton wrote:

> I was waaay behind on my reading when I posted that. Your current (or last
> posted) attempt using full instead of rawbody should basically do it, modulo
> any minor bugs there may be in the code.

Well, it still hasn't worked, so I switched to something as simple as
you suggested (with the list of addressesI've seen instead of only the
one) and that seems to have actually stopped some... :-(

Jeff Makey's suggestion is also working ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst / Postmaster Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

>>> Sylvain Robitaille <syl@alcor.concordia.ca> 3/4/2004 11:14:45 AM
>>>
On Wed, 3 Mar 2004, Loren Wilton wrote:

> I was waaay behind on my reading when I posted that. Your current
(or last
> posted) attempt using full instead of rawbody should basically do it,
modulo
> any minor bugs there may be in the code.

Well, it still hasn't worked, so I switched to something as simple as
you suggested (with the list of addressesI've seen instead of only the
one) and that seems to have actually stopped some... :-(

>>>>>>>>>>>>>>

# 2004/03/03 Sylvain Robitaille: trap Bagle variants. Based on
# discussion in spamassassin-users mailing list;
specifically
# contributions by "Yackley, Matt"
<Matt.Yackley@perkinswill.com>
# "Bret Miller" <bret.miller@wcg.org>, Brent J. Nordquist
# <b-nordquist@bethel.edu>, and Rick Mallett
# <rmallett@ccs.carleton.ca>

header __JEFFCO_BAGLE_FROM From =~
/(?:abuse|management|administration|staff|noreply|support)\@(?:.*\.)?(co|jeffco)\.us/

body __JEFFCO_BAGLE_GREETING /^(?:dear|hello)\s+user/i

header __JEFFCO_BAGLE_MSGID Message-ID =~
/[a-z]{11,19}\@(co|jeffco)\.us/
describe __JEFFCO_BAGLE_MSGID Message-ID in format used by Bagle
variants

#rawbody __JEFFCO_ATTACH /^Content-Type: application\/octet-stream;
name=".+\.(pif|zip)"$/
#describe __JEFFCO_ATTACH Message contains suspicious attachment.
# NOTE that this might be worth using in other contexts, but for now
I'm
# including only those I've seen with this particular virus.

body __JEFFCO_BAGLE_REGARDS /^(?:kind regards|sincerely)/i
describe __JEFFCO_BAGLE_REGARDS Bagle variant closing

header __JEFFCO_BAGLE_SUBJECT Subject =~ /e-?mail\s+account/i
describe __JEFFCO_BAGLE_SUBJECT Bagle variant subject

# This might be useful to catch these in a site-agnostic way:
meta T_JEFFCO_BAGLE_VARIANT (__JEFFCO_BAGLE_GREETING &&
__JEFFCO_BAGLE_REGARDS && __JEFFCO_BAGLE_SUBJECT)
meta JEFFCO_BAGLE_VARIANT (__JEFFCO_BAGLE_FROM &&
__JEFFCO_BAGLE_GREETING && __JEFFCO_BAGLE_MSGID &&
__JEFFCO_BAGLE_REGARDS && __JEFFCO_BAGLE_SUBJECT)
describe JEFFCO_BAGLE_VARIANT Message contains a variant of the
"Bagle/Beagle" virus
score JEFFCO_BAGLE_VARIANT 20.0


(Relabeled for reporting) - I removed the ATTACH rules (I'm using
MailScanner) and it seems to be catching some, although I do see 0.01
scores for _JEFFCO_BAGLE_VARIANT - not sure why that is.

Some of scores I've see are:

(score=4.787, required 4, BAYES_01 -0.04, DCC_CHECK 2.91,
MIME_SUSPECT_NAME 0.10, NO_DNS_FOR_FROM 1.65, NO_REAL_NAME 0.16,
T_JEFFCO_BAGLE_VARIANT 0.01)

(score=30.23, required 4, BAGLE_SUBJECT_2 10.00, BAYES_01 -0.04,
JEFFCO_BAGLE_VARIANT 20.00, MIME_SUSPECT_NAME 0.10, NO_REAL_NAME 0.16,
T_JEFFCO_BAGLE_VARIANT 0.01)

(score=11.77, required 4, BAGLE_PASSWORD 10.00, BAYES_00 -0.05,
NO_DNS_FOR_FROM 1.65, NO_REAL_NAME 0.16, T_JEFFCO_BAGLE_VARIANT 0.01)

(score=30.12, required 4, BAGLE_PASSWORD 10.00, BAYES_00 -0.05,
JEFFCO_BAGLE_VARIANT 20.00, NO_REAL_NAME 0.16, T_JEFFCO_BAGLE_VARIANT
0.01)

From: "Sylvain Robitaille" <syl@alcor.concordia.ca>
| Well, it still hasn't worked, so I switched to something as simple as
| you suggested (with the list of addressesI've seen instead of only the
| one) and that seems to have actually stopped some... :-(

Try something like this as it works for us:
Note: remove any word wrapping

header __BAGLE_K_FROM From =~ /(?:management|administration|staff|noreply|support)\@/i
body __BAGLE_K_BODY_1 /^(?:dear|hello) user/i
body __BAGLE_K_BODY_21 /^Your e-mail account has been temporary disabled because of unauthorized access\./i
body __BAGLE_K_BODY_22 /^Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service\./i
body __BAGLE_K_BODY_23 /^Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information\./i
body __BAGLE_K_BODY_24 /^We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions\./i
body __BAGLE_K_BODY_25 /^Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software\./i
body __BAGLE_K_BODY_26 /^Some of our clients complained about the spam \(negative e-mail content\) outgoing from your e-mail account\. Probably, you have been infected by a proxy-relay trojan server\. In order to keep your computer safe, follow the instructions\./i
meta BAGLE_WORM_CE (__BAGLE_K_FROM && __BAGLE_K_BODY_1 && (?:__BAGLE_K_BODY_21 || __BAGLE_K_BODY_22 || __BAGLE_K_BODY_23 || __BAGLE_K_BODY_24 || __BAGLE_K_BODY_25 || __BAGLE_K_BODY_26))
describe BAGLE_WORM_CE Bagle/Beagle worm in Zip File DO NOT OPEN
tflags BAGLE_WORM_CE learn
score BAGLE_WORM_CE 120.0


Greg

On Thu, 4 Mar 2004, Greg Cirino - Cirelle Enterprises wrote:

> Try something like this as it works for us:

Actually, this was the simplest regex I found (from a procmail rule)

:0 B
* The +[^.]+\.[^ ]+ +team




==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

> #rawbody __JEFFCO_ATTACH /^Content-Type: application\/octet-stream;
> name=".+\.(pif|zip)"$/
> #describe __JEFFCO_ATTACH Message contains suspicious attachment.
> # NOTE that this might be worth using in other contexts, but for now
> I'm
> # including only those I've seen with this particular virus.

This test is suspicious. I think you have to do it on full rather than
rawbody to actually get it hit. My understanding is binary attachments
(including their descriptions) vanish in rawbody.


> describe JEFFCO_BAGLE_VARIANT Message contains a variant of the
> "Bagle/Beagle" virus
> score JEFFCO_BAGLE_VARIANT 20.0
>
> (Relabeled for reporting) - I removed the ATTACH rules (I'm using
> MailScanner) and it seems to be catching some, although I do see 0.01
> scores for _JEFFCO_BAGLE_VARIANT - not sure why that is.

Which seems VERY strange, as the score for that seems to be 20.0, not 0.01.

Loren