Re: Filter for W32/Swen@MM, was Re: Virus emails

To: debian-devel <debian-devel@lists.debian.org>
Subject: Re: Filter for W32/Swen@MM, was Re: Virus emails
From: Joachim Breitner <debian@joachim-breitner.de>
Date: Sat, 20 Sep 2003 19:26:41 +0200
Message-id: <[🔎] 1064078800.13008.22.camel@barney.ehbuehl33.ehbuehl.net>
In-reply-to: <[🔎] 20030920171206.GA4785@intranet.sambara.org>
References: <[🔎] 20030920171206.GA4785@intranet.sambara.org>

Hi,

I would be more interested in blocking these with exim, before they
enter my world. Exim should just not accept any message that has a FROM:
header (just for thie next few days, until the problem ebbed down).

any ideas?

nomeata

Am Sa, 2003-09-20 um 19.12 schrieb Ismael Valladolid Torres:
> Jarno Elonen just posted in debian-mentors these useful guidelines to
> fight against those anoying messages. This works great for me, and
> serve as a basis to fight against future similar viruses.
> 
> Regards, Ismael
> 
> ----- Forwarded message from Jarno Elonen <elonen@iki.fi> -----
> 
> From: Jarno Elonen <elonen@iki.fi>
> Subject: Filter for W32/Swen@MM
> To: debian-mentors@lists.debian.org
> Date: Sat, 20 Sep 2003 16:38:37 +0300
> 
> Sven Luther wrote:
> 
> > BTW, the attachement is of md5sum b09e26c292759d654633d3c8ed00d18d.
> >
> > Anyone know of an easy way to filter out emails where a given
> > attachement has a particular md5sum ?
> 
> I wrote a helpfull Python script this morning and have successfully filtered 
> about 60(!) virus mails with it today already.
> 
>   http://elonen.iki.fi/code/misc-notes/mpartinfo2hdr/
> 
> The program - when a message is piped though it - analyzes mail attachments 
> and puts the results in the header...
> 
>     X-Msg-Part-Info: attachment; size="106496";
>          md5sum="b09e26c292759d654633d3c8ed00d18d";
>          claimedmime="audio/x-wav"; name="gvzvfszn.exe";
>          guessedmime="application/x-dosexec"
> 
> ... so that one can write mail reader rules to filter messages with certain 
> attachments.  I'm using Kmail myself, with the following rules:
> 
>    Add the attachment info to header:
> 
>    1) 'To' doesn't equal 'MATCH_FOR_ALL' =>
>        'pipe through' '/home/jarno/bin/mpartinfo2hdr'
>        DON'T stop if this matches
> 
>    Remove certain virus mail:
> 
>    2) 'any header' matches regexp
>       'X-Msg-Part-Info:.*b09e26c292759d654633d3c8ed00d18d'
>       => move to trash
> 
>    Move probably virus mail:
>    
>    3) 'any header' matches regexp
>       'X-Msg-Part-Info:.*guessedmime="application.x-dosexec"'
>       OR
>       'any header' matches regexp
>       'X-Msg-Part-Info:.*name="[^"]*\.pif".*'
>       => move to folder 'virus'
> 
> - Jarno
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> ----- End forwarded message -----
-- 
Joachim "nomeata" Breitner
  e-Mail: mail@joachim-breitner.de | Homepage: http://www.joachim-breitner.de
  JID: joachimbreitner@amessage.de | GPG-Keyid: 4743206C | ICQ#: 74513189
  Geekcode: GCS/IT/S d-- s++:- a--- C++ UL+++ P+++ !E W+++ N-- !W O? M?>+ V?
            PS++ PE PGP++ t? 5? X- R+ tv- b++ DI+ D+ G e+>* h! z?
Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge.
Siehe http://www.fsf.org/philosophy/no-word-attachments.de.html

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Reply to:

References:
- Filter for W32/Swen@MM, was Re: Virus emails
  - From: Ismael Valladolid Torres <ismael@sambara.org>

Prev by Date: Re: [cjwatson@debian.org: Re: Fwd: Processing of ferret_3.0-2_i386.changes]
Next by Date: Re: popsneaker vs. bandwidth consumption [was:Re: Virus emails]
Previous by thread: Filter for W32/Swen@MM, was Re: Virus emails
Next by thread: Re: Filter for W32/Swen@MM, was Re: Virus emails
Index(es):
- Date
- Thread