From owner-freebsd-questions Tue Nov 27 7:58:22 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id 260C337B416; Tue, 27 Nov 2001 07:58:09 -0800 (PST) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id KAA10812; Tue, 27 Nov 2001 10:57:15 -0500 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.6/8.11.4) id fARFwjn37013; Tue, 27 Nov 2001 10:58:45 -0500 (EST) (envelope-from leblanc) Date: Tue, 27 Nov 2001 10:58:45 -0500 From: Louis LeBlanc To: questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: The Stupid Virus going arround. Message-ID: <20011127155844.GD36710@keyslapper.org> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: questions@FreeBSD.ORG, freebsd-questions@FreeBSD.org References: <012101c17750$94e047e0$a50410ac@olmct.net> <20011127144157.GA12429@rhadamanth> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Km1U/tdNT/EmXiR1" Content-Disposition: inline In-Reply-To: <20011127144157.GA12429@rhadamanth> User-Agent: Mutt/1.3.23.2i X-PGP-Fingerprint: 4EA2 24FF 41B0 0258 9A54 9309 7803 D662 B364 4562 X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Km1U/tdNT/EmXiR1 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/27/01 02:41 PM, setantae sat at the `puter and typed: > On Tue, Nov 27, 2001 at 09:34:11AM -0500, Andre` Niel Cameron wrote: > > The next time I get this thing I am sending everyone a copy a Norton;) > > Everyone knows someone stuck a virus on the list, most of us have Anti = Virus > > software some do not I think those who do not need to goto download.com= and > > get some as you keep sending the virus to the list. Just a thought. >=20 > Did anyone knock out a procmail recipe for it yet ? >=20 > If so, could you share it please ? >=20 > Thanks, >=20 > Ceri This was recently shared on the procmail users list: # Trap BadTrans? (signature as of 11/26/2001) # :0 * > 40000 * < 50000 * ^Subject:.*Re: * ^Content-Type:.*multipart/related;.*"multipart/alternative";.*boundary=3D"= =3D=3D=3D=3D_ABC1234567890DEF_=3D=3D=3D=3D" { :0 B hfi * ^Content-Type: audio/x-wav; * ^Content-ID: * ^Content-Transfer-Encoding: base64 | formail -Y -f -A "X-Content-Security: [$HOST] NOTIFY" \ -A "X-Content-Security: [$HOST] QUARANTINE" \ -A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans worm - see htt= p://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html" } :0A { FOLDER=3Dspam } The first recipe will set headers to tell you that it is the worm, the second can be used to redirect it. I'm just dumping it into a spam folder with the other cr@p, but you may want to /dev/null or bounce it. The key is the Content-Type header. Apparently it always uses the same mime types and the same boundary - with the quotes. HTH Lou --=20 Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org =D4=BF=D4=AC The goal of science is to build better mousetraps. The goal of nature is to build better mice. --Km1U/tdNT/EmXiR1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8A7g0eAPWYrNkRWIRAnW1AJ4hUQpssBtgfHuOTU9kgoCqRGQMvwCfaseF p002zEOlj+2Qw85re+954gQ= =7rRN -----END PGP SIGNATURE----- --Km1U/tdNT/EmXiR1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message