Date: Fri, 19 Sep 2003 19:48:17 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Oliver Fromme <olli@lurza.secnetix.de> Cc: freebsd-stable@freebsd.org Subject: Re: Sieve script to filter today's MS annoyances Message-ID: <20030919184817.GA57070@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <200309191729.h8JHTDal019393@lurza.secnetix.de> References: <87fzitqwop.fsf@strauser.com> <200309191729.h8JHTDal019393@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Sep 19, 2003 at 07:29:13PM +0200, Oliver Fromme wrote:
> Kirk Strauser <kirk@strauser.com> wrote:
> > I don't know what's going on, but I've been getting literally hundreds=
of
> > virus/worm-looking emails per hour all day today. I grew tired of it =
and
> > wrote the following Sieve script to filter my mail on the server.
> >=20
> > The pseudo-bounce messages were particularly annoying; they're close e=
nough
> > to the real bounce messages that I *want* to keep that they justified a
> > little closer examination. I'll probably tighten the other message ty=
pe to
> > also examine the sender, but I doubt I'll be getting any legitimate ma=
ils
> > that look like:
> >=20
> > Subject: latest security patch
> >=20
> > in the near future. Anyway, enjoy as you see fit.
>=20
> I got lots of those, too. From looking at the headers,
> there didn't seem to be very reliable things to identify
> that crap, so i decided to filter by body.
>=20
> The following is an excerpt from my ~/.mailfilter (I'm
> using /usr/ports/mail/maildrop):
>=20
>=20
> if (/^"September 2003, Cumulative Patch" update which /:b || \
> /^Content-Type: audio\/x-(wav|midi); name=3D"[a-z]*\.(exe|com|bat|scr=
)")/:b)
> {
> to "$HOME/Mail/fake-ms-crap"
> }
>=20
The string:
AJBAPACQQDkAkEA3AJBANACQQDEAkEAvAJBALACQQCoAkEApAJBAJwCQQCUAkEAjAJBAIQCQQB8
seems to appear in all instances of the W32/Gibe worm. However, I
find feeding the worm emails into the Bayes classifier gives me a
certain vicarious satisfaction... That and tweaking the SpamAssassin
rules so that MICROSOFT_EXECUTABLE scores 4.0 points means that most
of them are scoring high enough to bounce now.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/a09xdtESqEQa7a0RAr25AJ46oVF1K8/4p8t/AQjqlDql9xyWRACfXTiL
k4RuEqxLLNm9aE/hzRYKwX8=
=V3Ri
-----END PGP SIGNATURE-----
--IJpNTDwzlM2Ie8A6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030919184817.GA57070>