Has anyone written a rule that catches the MyDoom virus e-mails.
Thanks,
Mark DeMichele
Thanks,
Mark DeMichele
Mailing List Archive
MyDoom E-mail
Re: MyDoom E-mail
[ In reply to ]
Mark A. DeMichele wrote:
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
>
> Mark DeMichele
>
If you mean the actual virus coming in, use an A/V product for that. I
use exiscan ACL and McAfee with Exim 4.3 for that.
If you mean the various virus bounce notifications, look here...
http://www.exit0.us/index.php/VirusBounceRules
and here...
http://www.timj.co.uk/linux/bogus-virus-warnings.cf
Steven
--
Steven Dickenson <steven@mrchuckles.net>
http://www.mrchuckles.net
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
>
> Mark DeMichele
>
If you mean the actual virus coming in, use an A/V product for that. I
use exiscan ACL and McAfee with Exim 4.3 for that.
If you mean the various virus bounce notifications, look here...
http://www.exit0.us/index.php/VirusBounceRules
and here...
http://www.timj.co.uk/linux/bogus-virus-warnings.cf
Steven
--
Steven Dickenson <steven@mrchuckles.net>
http://www.mrchuckles.net
Re: MyDoom E-mail
[ In reply to ]
Yeah, I call it procmail. :)
Here is my procmail recipe for catching extensions. Maybe this will
work for you?
# File extentions to be blocked by procmail:
ext='(vbj|exe|com|bat|vbs|cmd|pif|scr|js|zip)'
# This recipe should stop the attachments from the clients.
:0 BHbh
* !^FROM_DAEMON
* !^X-Loop: mail-server@mydomain.com
* $ content-[^:]+:${WS}*.+(\<)*(file)?name${WS}*=\"*\/.+\.$ext\"?$
{
:0 hb
| (formail -r -i"From: mail-server@mydomain.com" -I"Precedence:
junk" -A"X-Loop: mail-server@mydomain.com" ; cat
/etc/procmailrcs/virus.email) | $SENDMAIL -t
:0 A
/dev/null
}
On Mon, 2004-02-09 at 14:57, Mark A. DeMichele wrote:
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
>
> Mark DeMichele
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
Here is my procmail recipe for catching extensions. Maybe this will
work for you?
# File extentions to be blocked by procmail:
ext='(vbj|exe|com|bat|vbs|cmd|pif|scr|js|zip)'
# This recipe should stop the attachments from the clients.
:0 BHbh
* !^FROM_DAEMON
* !^X-Loop: mail-server@mydomain.com
* $ content-[^:]+:${WS}*.+(\<)*(file)?name${WS}*=\"*\/.+\.$ext\"?$
{
:0 hb
| (formail -r -i"From: mail-server@mydomain.com" -I"Precedence:
junk" -A"X-Loop: mail-server@mydomain.com" ; cat
/etc/procmailrcs/virus.email) | $SENDMAIL -t
:0 A
/dev/null
}
On Mon, 2004-02-09 at 14:57, Mark A. DeMichele wrote:
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
>
> Mark DeMichele
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
Re: MyDoom E-mail
[ In reply to ]
If you do use procmail, you can use virus.email to send a message as a
bounce back. :)
On Mon, 2004-02-09 at 15:03, Wess Bechard wrote:
> Yeah, I call it procmail. :)
>
>
> Here is my procmail recipe for catching extensions. Maybe this will
> work for you?
>
>
> # File extentions to be blocked by procmail:
> ext='(vbj|exe|com|bat|vbs|cmd|pif|scr|js|zip)'
>
> # This recipe should stop the attachments from the clients.
> :0 BHbh
> * !^FROM_DAEMON
> * !^X-Loop: mail-server@mydomain.com
> * $ content-[^:]+:${WS}*.+(\<)*(file)?name${WS}*=\"*\/.+\.$ext\"?$
> {
> :0 hb
> | (formail -r -i"From: mail-server@mydomain.com"
> -I"Precedence: junk" -A"X-Loop: mail-server@mydomain.com" ; cat
> /etc/procmailrcs/virus.email) | $SENDMAIL -t
>
> :0 A
> /dev/null
> }
>
>
>
> On Mon, 2004-02-09 at 14:57, Mark A. DeMichele wrote:
>
> > Has anyone written a rule that catches the MyDoom virus e-mails.
> >
> > Thanks,
> >
> > Mark DeMichele
>
> Wess Bechard
> Technical Support
> eliquidMEDIA
> International Inc.
>
> wess@eliquid.com
> 519.973.1930 -1.800.561.7525
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
bounce back. :)
On Mon, 2004-02-09 at 15:03, Wess Bechard wrote:
> Yeah, I call it procmail. :)
>
>
> Here is my procmail recipe for catching extensions. Maybe this will
> work for you?
>
>
> # File extentions to be blocked by procmail:
> ext='(vbj|exe|com|bat|vbs|cmd|pif|scr|js|zip)'
>
> # This recipe should stop the attachments from the clients.
> :0 BHbh
> * !^FROM_DAEMON
> * !^X-Loop: mail-server@mydomain.com
> * $ content-[^:]+:${WS}*.+(\<)*(file)?name${WS}*=\"*\/.+\.$ext\"?$
> {
> :0 hb
> | (formail -r -i"From: mail-server@mydomain.com"
> -I"Precedence: junk" -A"X-Loop: mail-server@mydomain.com" ; cat
> /etc/procmailrcs/virus.email) | $SENDMAIL -t
>
> :0 A
> /dev/null
> }
>
>
>
> On Mon, 2004-02-09 at 14:57, Mark A. DeMichele wrote:
>
> > Has anyone written a rule that catches the MyDoom virus e-mails.
> >
> > Thanks,
> >
> > Mark DeMichele
>
> Wess Bechard
> Technical Support
> eliquidMEDIA
> International Inc.
>
> wess@eliquid.com
> 519.973.1930 -1.800.561.7525
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
Re: MyDoom E-mail
[ In reply to ]
On Mon, 2004-02-09 at 12:01, Steven Dickenson wrote:
> If you mean the actual virus coming in, use an A/V product for that. I
> use exiscan ACL and McAfee with Exim 4.3 for that.
>
ClamAV is free and also does a good job of catching MyDoom.
- Jon
--
jon@tgpsolutions.com
Administrator, tgpsolutions
http://www.tgpsolutions.com
> If you mean the actual virus coming in, use an A/V product for that. I
> use exiscan ACL and McAfee with Exim 4.3 for that.
>
ClamAV is free and also does a good job of catching MyDoom.
- Jon
--
jon@tgpsolutions.com
Administrator, tgpsolutions
http://www.tgpsolutions.com
Attached Files:
-
signature.asc (0.18 KB)
Re: MyDoom E-mail
[ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 09 February 2004 11:57, Mark A. DeMichele wrote:
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
> Mark DeMichele
I use maildrop to call clamav which is a very good av solution.
- --
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAJ+49nT1TkA6FgPgRAkziAKCrmczOU+0lcGrt750F2dPB0irbcACfV9ut
UD8nCHCrUQg+W/VB+nGgzGQ=
=ysZW
-----END PGP SIGNATURE-----
Hash: SHA1
On Monday 09 February 2004 11:57, Mark A. DeMichele wrote:
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
> Mark DeMichele
I use maildrop to call clamav which is a very good av solution.
- --
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAJ+49nT1TkA6FgPgRAkziAKCrmczOU+0lcGrt750F2dPB0irbcACfV9ut
UD8nCHCrUQg+W/VB+nGgzGQ=
=ysZW
-----END PGP SIGNATURE-----
Re: MyDoom E-mail
[ In reply to ]
At 12:06 PM 2/9/2004, Wess Bechard wrote:
>If you do use procmail, you can use virus.email to send a message as a
>bounce back. :)
Right. That way you can send bogus bounce notices to people who didn't
send you attachments in the first place, thus doubling the amount of
traffic generated by a virus outbreak without actually notifying the people
whose computers *are* infected.
Unfortunately, that's all you can really do when you're blocking solely
based on file extensions: you can't separate clueless senders from viruses,
so you can't just silently discard things without risking false positives.
Kelson Vibber
SpeedGate Communications <www.speed.net>
>If you do use procmail, you can use virus.email to send a message as a
>bounce back. :)
Right. That way you can send bogus bounce notices to people who didn't
send you attachments in the first place, thus doubling the amount of
traffic generated by a virus outbreak without actually notifying the people
whose computers *are* infected.
Unfortunately, that's all you can really do when you're blocking solely
based on file extensions: you can't separate clueless senders from viruses,
so you can't just silently discard things without risking false positives.
Kelson Vibber
SpeedGate Communications <www.speed.net>
RE: MyDoom E-mail
[ In reply to ]
I guess the short answer to my original question is "no"?
-----Original Message-----
From: Kelson Vibber [mailto:kelson@speed.net]
Sent: Monday, February 09, 2004 3:37 PM
To: spamassassin-users@incubator.apache.org
Subject: Re: MyDoom E-mail
At 12:06 PM 2/9/2004, Wess Bechard wrote:
>If you do use procmail, you can use virus.email to send a message as a
>bounce back. :)
Right. That way you can send bogus bounce notices to people who didn't
send you attachments in the first place, thus doubling the amount of
traffic generated by a virus outbreak without actually notifying the
people
whose computers *are* infected.
Unfortunately, that's all you can really do when you're blocking solely
based on file extensions: you can't separate clueless senders from
viruses,
so you can't just silently discard things without risking false
positives.
Kelson Vibber
SpeedGate Communications <www.speed.net>
-----Original Message-----
From: Kelson Vibber [mailto:kelson@speed.net]
Sent: Monday, February 09, 2004 3:37 PM
To: spamassassin-users@incubator.apache.org
Subject: Re: MyDoom E-mail
At 12:06 PM 2/9/2004, Wess Bechard wrote:
>If you do use procmail, you can use virus.email to send a message as a
>bounce back. :)
Right. That way you can send bogus bounce notices to people who didn't
send you attachments in the first place, thus doubling the amount of
traffic generated by a virus outbreak without actually notifying the
people
whose computers *are* infected.
Unfortunately, that's all you can really do when you're blocking solely
based on file extensions: you can't separate clueless senders from
viruses,
so you can't just silently discard things without risking false
positives.
Kelson Vibber
SpeedGate Communications <www.speed.net>
RE: MyDoom E-mail
[ In reply to ]
At 03:45 PM 2/9/2004, Mark A. DeMichele wrote:
>I guess the short answer to my original question is "no"?
Correct. I doubt anyone has written mydoom rules for SA.
I'm pretty sure very few people bother to implement virus scanning rules in
spamassassin, because most of us use virus scanners in addition to SA.
Really, most places seem to already have virus scanning in their email
before they install SA.
With the advent of open-source virus scanners, ie clamav, there's little
need to duplicate efforts, and it saves me the work of trying to write SA
rules because I've already got a tool that covers it, complete with
intelligent, cryptographically signed, automatic updates and everything.
>I guess the short answer to my original question is "no"?
Correct. I doubt anyone has written mydoom rules for SA.
I'm pretty sure very few people bother to implement virus scanning rules in
spamassassin, because most of us use virus scanners in addition to SA.
Really, most places seem to already have virus scanning in their email
before they install SA.
With the advent of open-source virus scanners, ie clamav, there's little
need to duplicate efforts, and it saves me the work of trying to write SA
rules because I've already got a tool that covers it, complete with
intelligent, cryptographically signed, automatic updates and everything.
Re: MyDoom E-mail
[ In reply to ]
My mail filter blocks extensions, so I need this bounce back to notify
the legitimate senders that they must send in a different format.
Of course, X-Loop is used.
On Mon, 2004-02-09 at 15:36, Kelson Vibber wrote:
> At 12:06 PM 2/9/2004, Wess Bechard wrote:
> >If you do use procmail, you can use virus.email to send a message as a
> >bounce back. :)
>
> Right. That way you can send bogus bounce notices to people who didn't
> send you attachments in the first place, thus doubling the amount of
> traffic generated by a virus outbreak without actually notifying the people
> whose computers *are* infected.
>
> Unfortunately, that's all you can really do when you're blocking solely
> based on file extensions: you can't separate clueless senders from viruses,
> so you can't just silently discard things without risking false positives.
>
>
> Kelson Vibber
> SpeedGate Communications <www.speed.net>
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
the legitimate senders that they must send in a different format.
Of course, X-Loop is used.
On Mon, 2004-02-09 at 15:36, Kelson Vibber wrote:
> At 12:06 PM 2/9/2004, Wess Bechard wrote:
> >If you do use procmail, you can use virus.email to send a message as a
> >bounce back. :)
>
> Right. That way you can send bogus bounce notices to people who didn't
> send you attachments in the first place, thus doubling the amount of
> traffic generated by a virus outbreak without actually notifying the people
> whose computers *are* infected.
>
> Unfortunately, that's all you can really do when you're blocking solely
> based on file extensions: you can't separate clueless senders from viruses,
> so you can't just silently discard things without risking false positives.
>
>
> Kelson Vibber
> SpeedGate Communications <www.speed.net>
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
Re: MyDoom E-mail
[ In reply to ]
Hi,
On Mon, 9 Feb 2004, Wess Bechard wrote:
> My mail filter blocks extensions, so I need this bounce back to notify
> the legitimate senders that they must send in a different format.
How do you tell legitimate senders from virus-forged senders...?
-- Bob
On Mon, 9 Feb 2004, Wess Bechard wrote:
> My mail filter blocks extensions, so I need this bounce back to notify
> the legitimate senders that they must send in a different format.
How do you tell legitimate senders from virus-forged senders...?
-- Bob
Re: MyDoom E-mail
[ In reply to ]
I don't. I just let the X-loop do its job and let the legits send their
email attachmentd in a different format.
This is going to work until I have time to implement something better,
like ClamAV.
On Mon, 2004-02-09 at 16:11, Bob Apthorpe wrote:
> Hi,
> On Mon, 9 Feb 2004, Wess Bechard wrote:
>
> > My mail filter blocks extensions, so I need this bounce back to notify
> > the legitimate senders that they must send in a different format.
>
> How do you tell legitimate senders from virus-forged senders...?
>
> -- Bob
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
email attachmentd in a different format.
This is going to work until I have time to implement something better,
like ClamAV.
On Mon, 2004-02-09 at 16:11, Bob Apthorpe wrote:
> Hi,
> On Mon, 9 Feb 2004, Wess Bechard wrote:
>
> > My mail filter blocks extensions, so I need this bounce back to notify
> > the legitimate senders that they must send in a different format.
>
> How do you tell legitimate senders from virus-forged senders...?
>
> -- Bob
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
Re: MyDoom E-mail
[ In reply to ]
What I would REALLY like is a way to make procmail check the virtual
users table and check to see if an address exists before running through
my virus and spam rc's.
On Mon, 2004-02-09 at 16:18, Wess Bechard wrote:
> I don't. I just let the X-loop do its job and let the legits send
> their email attachmentd in a different format.
>
> This is going to work until I have time to implement something better,
> like ClamAV.
>
>
> On Mon, 2004-02-09 at 16:11, Bob Apthorpe wrote:
>
> > Hi,
> > On Mon, 9 Feb 2004, Wess Bechard wrote:
> >
> > > My mail filter blocks extensions, so I need this bounce back to notify
> > > the legitimate senders that they must send in a different format.
> >
> > How do you tell legitimate senders from virus-forged senders...?
> >
> > -- Bob
>
>
> Wess Bechard
>
> Technical Support
>
> eliquidMEDIA
>
> International Inc.
>
>
>
> wess@eliquid.com
>
> 519.973.1930 -1.800.561.7525
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
users table and check to see if an address exists before running through
my virus and spam rc's.
On Mon, 2004-02-09 at 16:18, Wess Bechard wrote:
> I don't. I just let the X-loop do its job and let the legits send
> their email attachmentd in a different format.
>
> This is going to work until I have time to implement something better,
> like ClamAV.
>
>
> On Mon, 2004-02-09 at 16:11, Bob Apthorpe wrote:
>
> > Hi,
> > On Mon, 9 Feb 2004, Wess Bechard wrote:
> >
> > > My mail filter blocks extensions, so I need this bounce back to notify
> > > the legitimate senders that they must send in a different format.
> >
> > How do you tell legitimate senders from virus-forged senders...?
> >
> > -- Bob
>
>
> Wess Bechard
>
> Technical Support
>
> eliquidMEDIA
>
> International Inc.
>
>
>
> wess@eliquid.com
>
> 519.973.1930 -1.800.561.7525
Wess Bechard
Technical Support
eliquidMEDIA
International Inc.
wess@eliquid.com
519.973.1930 -1.800.561.7525
Re: [spa] Re: MyDoom E-mail
[ In reply to ]
On Mon, 9 Feb 2004, Kelson Vibber wrote:
> At 12:06 PM 2/9/2004, Wess Bechard wrote:
> >If you do use procmail, you can use virus.email to send a message as a
> >bounce back. :)
> Right. That way you can send bogus bounce notices to people who didn't
> send you attachments in the first place, thus doubling the amount of
> traffic generated by a virus outbreak without actually notifying the people
> whose computers *are* infected.
HEY! Where do we go to invent new STANDARDS for Mail Transports?
I think it's bad enough that we often end up bouncing mail to an innocent
third party, but when the sender does not exist, and it gets bounced back
to us, that is even *more* of a waste. So I was wondering if we could put
together a 'movement' to insert a new 'standard' header, call it
"X-BOUNCES: No" or something like that, so that any mail transport that
sees that header knows that it should *not* bounce the mail? Even if not
everyone checks for it, at least when the bounce comes back, we can check
for it ourselves and trashcan the bounced bounce..... :-)
Along a similar line, is there any way to cross-check the 'from' address
against the 'received' headers so that in cases where they don't match, we
can perhaps decide not to 'bounce' the mail if it is undeliverable?
- Charles
> At 12:06 PM 2/9/2004, Wess Bechard wrote:
> >If you do use procmail, you can use virus.email to send a message as a
> >bounce back. :)
> Right. That way you can send bogus bounce notices to people who didn't
> send you attachments in the first place, thus doubling the amount of
> traffic generated by a virus outbreak without actually notifying the people
> whose computers *are* infected.
HEY! Where do we go to invent new STANDARDS for Mail Transports?
I think it's bad enough that we often end up bouncing mail to an innocent
third party, but when the sender does not exist, and it gets bounced back
to us, that is even *more* of a waste. So I was wondering if we could put
together a 'movement' to insert a new 'standard' header, call it
"X-BOUNCES: No" or something like that, so that any mail transport that
sees that header knows that it should *not* bounce the mail? Even if not
everyone checks for it, at least when the bounce comes back, we can check
for it ourselves and trashcan the bounced bounce..... :-)
Along a similar line, is there any way to cross-check the 'from' address
against the 'received' headers so that in cases where they don't match, we
can perhaps decide not to 'bounce' the mail if it is undeliverable?
- Charles
Re: MyDoom E-mail
[ In reply to ]
My apologies to Kelson who just got a personalized copy of my list reply.
Please add my vote to the list of people wanting a 'reply-to' header on
list mail..... :-)
- Charles
Please add my vote to the list of people wanting a 'reply-to' header on
list mail..... :-)
- Charles
RE: MyDoom E-mail
[ In reply to ]
> From: Charles Gregory [mailto:cgregory@hwcn.org]
>
> My apologies to Kelson who just got a personalized copy of my
> list reply.
> Please add my vote to the list of people wanting a 'reply-to'
> header on
> list mail..... :-)
>
> - Charles
I seem to be contrarian here.
I rather like getting double-copied on "reply all"'s to my post. Why?
Well, I have a "lists" folder, and a "spamassassin-users" subfolder. I have
a rule to auto-route any mail with the spamassassin list headers into the
spamassassin-users subfolder. This allows me to collect all the email and
read it at my leisure, rather than when it comes up.
However, when I post a message to the list, I like to get notification of
any replies in my Inbox (and for completeness, a copy in the list folder as
well.)
Matthew van Eerde
Software Engineer
Hispanic Business Inc.
HireDiversity.com
805.964.4554 x902
Matthew.van.Eerde@hbinc.com
http://www.hispanicbusiness.com
http://www.hirediversity.com
>
> My apologies to Kelson who just got a personalized copy of my
> list reply.
> Please add my vote to the list of people wanting a 'reply-to'
> header on
> list mail..... :-)
>
> - Charles
I seem to be contrarian here.
I rather like getting double-copied on "reply all"'s to my post. Why?
Well, I have a "lists" folder, and a "spamassassin-users" subfolder. I have
a rule to auto-route any mail with the spamassassin list headers into the
spamassassin-users subfolder. This allows me to collect all the email and
read it at my leisure, rather than when it comes up.
However, when I post a message to the list, I like to get notification of
any replies in my Inbox (and for completeness, a copy in the list folder as
well.)
Matthew van Eerde
Software Engineer
Hispanic Business Inc.
HireDiversity.com
805.964.4554 x902
Matthew.van.Eerde@hbinc.com
http://www.hispanicbusiness.com
http://www.hirediversity.com
Re: MyDoom E-mail
[ In reply to ]
At 03:05 PM 2/9/2004, Charles Gregory wrote:
>Along a similar line, is there any way to cross-check the 'from' address
>against the 'received' headers so that in cases where they don't match, we
>can perhaps decide not to 'bounce' the mail if it is undeliverable?
Check out http://spf.pobox.com/ - it actually works on the envelope sender,
not the From: header, but since that's where bounces should go, it should
do the trick - once it's widely adopted.
Basically, the owner of a domain name adds a DNS record indicating what
servers are allowed to send legitimate mail using their name. Then the
receiving mail server checks to make sure the system contacting it is on
the approved list. Dealing with forwarders gets a bit complicated, but
there are some high-profile sites already testing it out, like AOL,
gnu.org, etc.
SpamAssassin support for SPF is in the works for 2.70.
Kelson Vibber
SpeedGate Communications <www.speed.net>
>Along a similar line, is there any way to cross-check the 'from' address
>against the 'received' headers so that in cases where they don't match, we
>can perhaps decide not to 'bounce' the mail if it is undeliverable?
Check out http://spf.pobox.com/ - it actually works on the envelope sender,
not the From: header, but since that's where bounces should go, it should
do the trick - once it's widely adopted.
Basically, the owner of a domain name adds a DNS record indicating what
servers are allowed to send legitimate mail using their name. Then the
receiving mail server checks to make sure the system contacting it is on
the approved list. Dealing with forwarders gets a bit complicated, but
there are some high-profile sites already testing it out, like AOL,
gnu.org, etc.
SpamAssassin support for SPF is in the works for 2.70.
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: [spa] Re: MyDoom E-mail
[ In reply to ]
On Mon, 9 Feb 2004, Charles Gregory wrote:
> HEY! Where do we go to invent new STANDARDS for Mail Transports?
> I think it's bad enough that we often end up bouncing mail to an innocent
> third party, but when the sender does not exist, and it gets bounced back
> to us, that is even *more* of a waste. So I was wondering if we could put
> together a 'movement' to insert a new 'standard' header, call it
> "X-BOUNCES: No" or something like that, so that any mail transport that
> sees that header knows that it should *not* bounce the mail? Even if not
> everyone checks for it, at least when the bounce comes back, we can check
> for it ourselves and trashcan the bounced bounce..... :-)
Why try to invent new standards when there's one for exactly this
situation that has been around for over 20 Years?
Read RFC-2821 section 6.1 for the modern version,
RFC-821 for the original (dated August 1982).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
> HEY! Where do we go to invent new STANDARDS for Mail Transports?
> I think it's bad enough that we often end up bouncing mail to an innocent
> third party, but when the sender does not exist, and it gets bounced back
> to us, that is even *more* of a waste. So I was wondering if we could put
> together a 'movement' to insert a new 'standard' header, call it
> "X-BOUNCES: No" or something like that, so that any mail transport that
> sees that header knows that it should *not* bounce the mail? Even if not
> everyone checks for it, at least when the bounce comes back, we can check
> for it ourselves and trashcan the bounced bounce..... :-)
Why try to invent new standards when there's one for exactly this
situation that has been around for over 20 Years?
Read RFC-2821 section 6.1 for the modern version,
RFC-821 for the original (dated August 1982).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: MyDoom E-mail
[ In reply to ]
Kelson Vibber <kelson@speed.net> writes:
> SpamAssassin support for SPF is in the works for 2.70.
It would be nice if there could be 2 alternate support methods. One
for when the MTA is already using SPF and has either rejected the
mail if it fails the test or added a Received-SPF: header, where SA
just scores on that header. Second for when the MTA does not use SPF,
and SA itself calls Mail::SPF::Query. It seems a waste of resource
for SA to call SPF when the MTA has already done so.
> SpamAssassin support for SPF is in the works for 2.70.
It would be nice if there could be 2 alternate support methods. One
for when the MTA is already using SPF and has either rejected the
mail if it fails the test or added a Received-SPF: header, where SA
just scores on that header. Second for when the MTA does not use SPF,
and SA itself calls Mail::SPF::Query. It seems a waste of resource
for SA to call SPF when the MTA has already done so.
Re: MyDoom E-mail
[ In reply to ]
Along the lines of Mark's question, I'm trying to develop such a rule
but I can't get it to work:
full MYDOOM_ATTACHMENT /Content-Disposition:
attachment;.filename="(document|readme|doc|text|file|data|test|message|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"/
[.watch for line wrapping - should all be on one line!]
Can someone tell me why this isn't working ['describe' and 'score' lines
omited for brevity]?
Mark A. DeMichele wrote:
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
>
> Mark DeMichele
>
but I can't get it to work:
full MYDOOM_ATTACHMENT /Content-Disposition:
attachment;.filename="(document|readme|doc|text|file|data|test|message|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"/
[.watch for line wrapping - should all be on one line!]
Can someone tell me why this isn't working ['describe' and 'score' lines
omited for brevity]?
Mark A. DeMichele wrote:
> Has anyone written a rule that catches the MyDoom virus e-mails.
>
> Thanks,
>
> Mark DeMichele
>
RE: MyDoom E-mail
[ In reply to ]
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
> Sent: Wednesday, February 11, 2004 3:51 PM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: MyDoom E-mail
>
>
> Along the lines of Mark's question, I'm trying to develop such a rule
> but I can't get it to work:
>
> full MYDOOM_ATTACHMENT /Content-Disposition:
> attachment;.filename="(document|readme|doc|text|file|data|test|mes
> sage|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"/
>
> [.watch for line wrapping - should all be on one line!]
>
> Can someone tell me why this isn't working ['describe' and 'score' lines
> omited for brevity]?
In the virus mail the I've seen, they look something like this:
------=_NextPart_000_0011_516A90FC.80A5C194
Content-Type: application/octet-stream;
name="xxxx.zzz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="xxxx.zzz"
Above, I've substituted 'xxxx.zzz' for 'body.zip' just to avoid any being
trashed by an over-anxious procmailrc recipe.
Above note that the name and filename lines are on different lines from the
Content- lines.
I think that's the problem you may be running into. I don't think that full
body tests (or any tests) can span lines. So, you'll need to break this up
into a couple of subrules and combine them into a metarule, I think.
> From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
> Sent: Wednesday, February 11, 2004 3:51 PM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: MyDoom E-mail
>
>
> Along the lines of Mark's question, I'm trying to develop such a rule
> but I can't get it to work:
>
> full MYDOOM_ATTACHMENT /Content-Disposition:
> attachment;.filename="(document|readme|doc|text|file|data|test|mes
> sage|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"/
>
> [.watch for line wrapping - should all be on one line!]
>
> Can someone tell me why this isn't working ['describe' and 'score' lines
> omited for brevity]?
In the virus mail the I've seen, they look something like this:
------=_NextPart_000_0011_516A90FC.80A5C194
Content-Type: application/octet-stream;
name="xxxx.zzz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="xxxx.zzz"
Above, I've substituted 'xxxx.zzz' for 'body.zip' just to avoid any being
trashed by an over-anxious procmailrc recipe.
Above note that the name and filename lines are on different lines from the
Content- lines.
I think that's the problem you may be running into. I don't think that full
body tests (or any tests) can span lines. So, you'll need to break this up
into a couple of subrules and combine them into a metarule, I think.
Re: MyDoom E-mail
[ In reply to ]
Thanks for the reply, Gary, but that's not it.
I've tried:
full MYDOOM_ATTACHMENT
/filename="(document|readme|doc|text|file|data|test|message|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
is still not working.
Any other ideas?
Gary Funck wrote:
>
>>-----Original Message-----
>>From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
>>Sent: Wednesday, February 11, 2004 3:51 PM
>>To: spamassassin-users@incubator.apache.org
>>Subject: Re: MyDoom E-mail
>>
>>
>>Along the lines of Mark's question, I'm trying to develop such a rule
>>but I can't get it to work:
>>
>>full MYDOOM_ATTACHMENT /Content-Disposition:
>>attachment;.filename="(document|readme|doc|text|file|data|test|mes
>>sage|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"/
>>
>>[.watch for line wrapping - should all be on one line!]
>>
>>Can someone tell me why this isn't working ['describe' and 'score' lines
>>omited for brevity]?
>
>
> In the virus mail the I've seen, they look something like this:
>
> ------=_NextPart_000_0011_516A90FC.80A5C194
> Content-Type: application/octet-stream;
> name="xxxx.zzz"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="xxxx.zzz"
>
> Above, I've substituted 'xxxx.zzz' for 'body.zip' just to avoid any being
> trashed by an over-anxious procmailrc recipe.
>
> Above note that the name and filename lines are on different lines from the
> Content- lines.
>
> I think that's the problem you may be running into. I don't think that full
> body tests (or any tests) can span lines. So, you'll need to break this up
> into a couple of subrules and combine them into a metarule, I think.
>
>
>
I've tried:
full MYDOOM_ATTACHMENT
/filename="(document|readme|doc|text|file|data|test|message|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
is still not working.
Any other ideas?
Gary Funck wrote:
>
>>-----Original Message-----
>>From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
>>Sent: Wednesday, February 11, 2004 3:51 PM
>>To: spamassassin-users@incubator.apache.org
>>Subject: Re: MyDoom E-mail
>>
>>
>>Along the lines of Mark's question, I'm trying to develop such a rule
>>but I can't get it to work:
>>
>>full MYDOOM_ATTACHMENT /Content-Disposition:
>>attachment;.filename="(document|readme|doc|text|file|data|test|mes
>>sage|body)(\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"/
>>
>>[.watch for line wrapping - should all be on one line!]
>>
>>Can someone tell me why this isn't working ['describe' and 'score' lines
>>omited for brevity]?
>
>
> In the virus mail the I've seen, they look something like this:
>
> ------=_NextPart_000_0011_516A90FC.80A5C194
> Content-Type: application/octet-stream;
> name="xxxx.zzz"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="xxxx.zzz"
>
> Above, I've substituted 'xxxx.zzz' for 'body.zip' just to avoid any being
> trashed by an over-anxious procmailrc recipe.
>
> Above note that the name and filename lines are on different lines from the
> Content- lines.
>
> I think that's the problem you may be running into. I don't think that full
> body tests (or any tests) can span lines. So, you'll need to break this up
> into a couple of subrules and combine them into a metarule, I think.
>
>
>
RE: MyDoom E-mail
[ In reply to ]
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
> Sent: Wednesday, February 11, 2004 5:01 PM
>
[...]
> I've tried:
>
> full MYDOOM_ATTACHMENT
> /filename="(document|readme|doc|text|file|data|test|message|body)(
> \.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
>
> is still not working.
>
> Any other ideas?
1) make sure that you have a non-zero score for this rule.
2) run spamassassin --lint to make sure that an error elsewhere
isn't causing problems.
3) restart spamd if you're running spamd/spamc.
4) run 'spamassassin -t -D rulesrun=255 < test.msg' for maximum
debug output.
5) try ditching the '$', just for the heck of it, and go back
to 1) above. <g>
> From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
> Sent: Wednesday, February 11, 2004 5:01 PM
>
[...]
> I've tried:
>
> full MYDOOM_ATTACHMENT
> /filename="(document|readme|doc|text|file|data|test|message|body)(
> \.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
>
> is still not working.
>
> Any other ideas?
1) make sure that you have a non-zero score for this rule.
2) run spamassassin --lint to make sure that an error elsewhere
isn't causing problems.
3) restart spamd if you're running spamd/spamc.
4) run 'spamassassin -t -D rulesrun=255 < test.msg' for maximum
debug output.
5) try ditching the '$', just for the heck of it, and go back
to 1) above. <g>
Re: MyDoom E-mail
[ In reply to ]
Thanks for the suggestions. Having done some further troubleshooting I'm
convinced that the full body regexp search either isn't being run or
isn't working as I would expect.
Any further clues? Where would I find more info about the full body search?
Thanks...
Gary Funck wrote:
>
>>-----Original Message-----
>>From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
>>Sent: Wednesday, February 11, 2004 5:01 PM
>>
>
> [...]
>
>>I've tried:
>>
>>full MYDOOM_ATTACHMENT
>>/filename="(document|readme|doc|text|file|data|test|message|body)(
>>\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
>>
>>is still not working.
>>
>>Any other ideas?
>
>
> 1) make sure that you have a non-zero score for this rule.
> 2) run spamassassin --lint to make sure that an error elsewhere
> isn't causing problems.
> 3) restart spamd if you're running spamd/spamc.
> 4) run 'spamassassin -t -D rulesrun=255 < test.msg' for maximum
> debug output.
> 5) try ditching the '$', just for the heck of it, and go back
> to 1) above. <g>
>
>
>
>
convinced that the full body regexp search either isn't being run or
isn't working as I would expect.
Any further clues? Where would I find more info about the full body search?
Thanks...
Gary Funck wrote:
>
>>-----Original Message-----
>>From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
>>Sent: Wednesday, February 11, 2004 5:01 PM
>>
>
> [...]
>
>>I've tried:
>>
>>full MYDOOM_ATTACHMENT
>>/filename="(document|readme|doc|text|file|data|test|message|body)(
>>\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
>>
>>is still not working.
>>
>>Any other ideas?
>
>
> 1) make sure that you have a non-zero score for this rule.
> 2) run spamassassin --lint to make sure that an error elsewhere
> isn't causing problems.
> 3) restart spamd if you're running spamd/spamc.
> 4) run 'spamassassin -t -D rulesrun=255 < test.msg' for maximum
> debug output.
> 5) try ditching the '$', just for the heck of it, and go back
> to 1) above. <g>
>
>
>
>
RE: MyDoom E-mail
[ In reply to ]
I modified this from my Procmail script and obviously needs to be
adjusted to suit your needs.
/name="*(?:\w|-)+\.(?:com|cpl|chm|crt|exe|hlp|lnk|ms[cipt]|ocx|pcd|p[ir]
f|scr|sh[bs]|zip)(?:"|$)/
I found that using 'filename' does not always work but using 'name'
does. I can't remember if the double quote needs to be escaped but you
should not always expect that it will be there. You'll know when you
lint though. ;) Hope this helps.
--Larry
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Damon McMahon
> Posted At: Wednesday, February 11, 2004 10:18 PM
> Posted To: Larry Gilson
> Conversation: MyDoom E-mail
> Subject: Re: MyDoom E-mail
>
> Thanks for the suggestions. Having done some further troubleshooting
I'm
> convinced that the full body regexp search either isn't being run or
> isn't working as I would expect.
>
> Any further clues? Where would I find more info about the full body
search?
>
> Thanks...
>
>
> Gary Funck wrote:
>
> >
> >>-----Original Message-----
> >>From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
> >>Sent: Wednesday, February 11, 2004 5:01 PM
> >>
> >
> > [...]
> >
> >>I've tried:
> >>
> >>full MYDOOM_ATTACHMENT
> >>/filename="(document|readme|doc|text|file|data|test|message|body)(
> >>\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
> >>
> >>is still not working.
> >>
> >>Any other ideas?
> >
> >
> > 1) make sure that you have a non-zero score for this rule.
> > 2) run spamassassin --lint to make sure that an error elsewhere
> > isn't causing problems.
> > 3) restart spamd if you're running spamd/spamc.
> > 4) run 'spamassassin -t -D rulesrun=255 < test.msg' for maximum
> > debug output.
> > 5) try ditching the '$', just for the heck of it, and go back
> > to 1) above. <g>
> >
> >
> >
> >
>
>
adjusted to suit your needs.
/name="*(?:\w|-)+\.(?:com|cpl|chm|crt|exe|hlp|lnk|ms[cipt]|ocx|pcd|p[ir]
f|scr|sh[bs]|zip)(?:"|$)/
I found that using 'filename' does not always work but using 'name'
does. I can't remember if the double quote needs to be escaped but you
should not always expect that it will be there. You'll know when you
lint though. ;) Hope this helps.
--Larry
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Damon McMahon
> Posted At: Wednesday, February 11, 2004 10:18 PM
> Posted To: Larry Gilson
> Conversation: MyDoom E-mail
> Subject: Re: MyDoom E-mail
>
> Thanks for the suggestions. Having done some further troubleshooting
I'm
> convinced that the full body regexp search either isn't being run or
> isn't working as I would expect.
>
> Any further clues? Where would I find more info about the full body
search?
>
> Thanks...
>
>
> Gary Funck wrote:
>
> >
> >>-----Original Message-----
> >>From: news [mailto:news@sea.gmane.org]On Behalf Of Damon McMahon
> >>Sent: Wednesday, February 11, 2004 5:01 PM
> >>
> >
> > [...]
> >
> >>I've tried:
> >>
> >>full MYDOOM_ATTACHMENT
> >>/filename="(document|readme|doc|text|file|data|test|message|body)(
> >>\.(htm|txt|doc))?\.(pif|scr|exe|cmd|bat|zip)"$/
> >>
> >>is still not working.
> >>
> >>Any other ideas?
> >
> >
> > 1) make sure that you have a non-zero score for this rule.
> > 2) run spamassassin --lint to make sure that an error elsewhere
> > isn't causing problems.
> > 3) restart spamd if you're running spamd/spamc.
> > 4) run 'spamassassin -t -D rulesrun=255 < test.msg' for maximum
> > debug output.
> > 5) try ditching the '$', just for the heck of it, and go back
> > to 1) above. <g>
> >
> >
> >
> >
>
>