From owner-freebsd-stable@FreeBSD.ORG  Fri Sep 19 11:49:13 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C74E516A4B3
	for <freebsd-stable@freebsd.org>;
	Fri, 19 Sep 2003 11:49:13 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk
	(happy-idiot-talk.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0635143FE5
	for <freebsd-stable@freebsd.org>;
	Fri, 19 Sep 2003 11:49:10 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1])
	h8JImHJK057312
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 19 Sep 2003 19:49:05 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)h8JImHbH057311;
	Fri, 19 Sep 2003 19:48:17 +0100 (BST)	(envelope-from matthew)
Date: Fri, 19 Sep 2003 19:48:17 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Oliver Fromme <olli@lurza.secnetix.de>
Message-ID: <20030919184817.GA57070@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Oliver Fromme <olli@lurza.secnetix.de>,
	freebsd-stable@freebsd.org
References: <87fzitqwop.fsf@strauser.com>
	<200309191729.h8JHTDal019393@lurza.secnetix.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline
In-Reply-To: <200309191729.h8JHTDal019393@lurza.secnetix.de>
User-Agent: Mutt/1.5.4i
X-Spam-Status: No, hits=-9.4 required=5.0
	tests=AWL,BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2,
	      QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES,TRACKER_ID,
	      USER_AGENT_MUTT
	autolearn=ham version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
cc: freebsd-stable@freebsd.org
Subject: Re: Sieve script to filter today's MS annoyances
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2003 18:49:14 -0000


--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 19, 2003 at 07:29:13PM +0200, Oliver Fromme wrote:
> Kirk Strauser <kirk@strauser.com> wrote:
>  > I don't know what's going on, but I've been getting literally hundreds=
 of
>  > virus/worm-looking emails per hour all day today.  I grew tired of it =
and
>  > wrote the following Sieve script to filter my mail on the server.
>  >=20
>  > The pseudo-bounce messages were particularly annoying; they're close e=
nough
>  > to the real bounce messages that I *want* to keep that they justified a
>  > little closer examination.  I'll probably tighten the other message ty=
pe to
>  > also examine the sender, but I doubt I'll be getting any legitimate ma=
ils
>  > that look like:
>  >=20
>  >     Subject: latest security patch
>  >=20
>  > in the near future.  Anyway, enjoy as you see fit.
>=20
> I got lots of those, too.  From looking at the headers,
> there didn't seem to be very reliable things to identify
> that crap, so i decided to filter by body.
>=20
> The following is an excerpt from my ~/.mailfilter (I'm
> using /usr/ports/mail/maildrop):
>=20
>=20
> if (/^"September 2003, Cumulative Patch" update which /:b || \
>     /^Content-Type: audio\/x-(wav|midi); name=3D"[a-z]*\.(exe|com|bat|scr=
)")/:b)
> {
> 	to "$HOME/Mail/fake-ms-crap"
> }
>=20

The string:

AJBAPACQQDkAkEA3AJBANACQQDEAkEAvAJBALACQQCoAkEApAJBAJwCQQCUAkEAjAJBAIQCQQB8

seems to appear in all instances of the W32/Gibe worm.  However, I
find feeding the worm emails into the Bayes classifier gives me a
certain vicarious satisfaction...  That and tweaking the SpamAssassin
rules so that MICROSOFT_EXECUTABLE scores 4.0 points means that most
of them are scoring high enough to bounce now.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/a09xdtESqEQa7a0RAr25AJ46oVF1K8/4p8t/AQjqlDql9xyWRACfXTiL
k4RuEqxLLNm9aE/hzRYKwX8=
=V3Ri
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--