From owner-freebsd-questions Tue Nov 27 11:38:32 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id AED4337B417 for ; Tue, 27 Nov 2001 11:38:24 -0800 (PST) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id OAA24479 for ; Tue, 27 Nov 2001 14:37:28 -0500 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.6/8.11.4) id fARJcvd37811 for questions@FreeBSD.ORG; Tue, 27 Nov 2001 14:38:57 -0500 (EST) (envelope-from leblanc) Date: Tue, 27 Nov 2001 14:38:57 -0500 From: Louis LeBlanc To: questions@FreeBSD.ORG Subject: Re: The Stupid Virus going arround (recipe results so far) Message-ID: <20011127193857.GN36710@keyslapper.org> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: questions@FreeBSD.ORG References: <012101c17750$94e047e0$a50410ac@olmct.net> <20011127144157.GA12429@rhadamanth> <20011127155844.GD36710@keyslapper.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mkHYMT4O8DyWoHkb" Content-Disposition: inline In-Reply-To: <20011127155844.GD36710@keyslapper.org> User-Agent: Mutt/1.3.23.2i X-PGP-Fingerprint: 4EA2 24FF 41B0 0258 9A54 9309 7803 D662 B364 4562 X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --mkHYMT4O8DyWoHkb Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/27/01 10:58 AM, Louis LeBlanc sat at the `puter and typed: > On 11/27/01 02:41 PM, setantae sat at the `puter and typed: > > On Tue, Nov 27, 2001 at 09:34:11AM -0500, Andre` Niel Cameron wrote: > > > The next time I get this thing I am sending everyone a copy a Norton;) > > > Everyone knows someone stuck a virus on the list, most of us have Ant= i Virus > > > software some do not I think those who do not need to goto download.c= om and > > > get some as you keep sending the virus to the list. Just a thought. > >=20 > > Did anyone knock out a procmail recipe for it yet ? > >=20 > > If so, could you share it please ? > >=20 > > Thanks, > >=20 > > Ceri >=20 > This was recently shared on the procmail users list: >=20 > # Trap BadTrans? (signature as of 11/26/2001) > # > :0 > * > 40000 > * < 50000 > * ^Subject:.*Re: > * > ^Content-Type:.*multipart/related;.*"multipart/alternative";.*boundary=3D= "=3D=3D=3D=3D_ABC1234567890DEF_=3D=3D=3D=3D" > { > :0 B hfi > * ^Content-Type: audio/x-wav; > * ^Content-ID: > * ^Content-Transfer-Encoding: base64 > | formail -Y -f -A "X-Content-Security: [$HOST] NOTIFY" \ > -A "X-Content-Security: [$HOST] QUARANTINE" \ > -A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans worm - see h= ttp://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.ht= ml" > } > :0A > { FOLDER=3Dspam } >=20 > The first recipe will set headers to tell you that it is the worm, the > second can be used to redirect it. I'm just dumping it into a spam > folder with the other cr@p, but you may want to /dev/null or bounce > it. >=20 > The key is the Content-Type header. Apparently it always uses the same > mime types and the same boundary - with the quotes. Just thought you folks might want to know how I've fared with this particular recipe so far today: Infected messages caught: 14 Infected messages missed: 0 False positives: 0 This is what the attachments look like in mutt: I 1 [multipa/alternativ, 7bit, 0.3K] I 2 `-> [text/html, quoted, iso-8859-1, 0.1K] I 3 docs.DOC.pif [audio/x-wav, base64, 38K] I 4 [text/plain, 7bit, us-ascii, 0.1K] The .pif attachment is the actual virus, and can have various names. I don't know if it's munged from an actual document on a hard drive it's been on, but I've seen such titles as Humor.mp3.pif, me_naked.jpg.pif (LOL) and various other names that don't look random. Looks like it works, tho. Lou PS. You may need to use different formail flags in the pipe used in that recipe. Forgot to mention that in the original post. --=20 Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org =D4=BF=D4=AC A Law of Computer Programming: Make it possible for programmers to write in English and you will find that programmers cannot write in English. --mkHYMT4O8DyWoHkb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8A+vReAPWYrNkRWIRAqiMAJ9UQKqAZaqXaO8691g4h5G0mktoGACfb7su H6N2a6Glqp6oN/ciHGOM4ms= =mcxV -----END PGP SIGNATURE----- --mkHYMT4O8DyWoHkb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message