on Fri, Sep 19, 2003 at 03:30:43PM +0200, Nicos Gollan (gtdev@spearhead.de) wrote:
> On Friday 19 September 2003 05:33, Kirk Strauser wrote:
> > I don't know what's going on, but I've been getting literally
> > hundreds of virus/worm-looking emails per hour all day today. I
> > grew tired of it and wrote the following Sieve script to filter my
> > mail on the server.
>
> I tried it with SpamAssassin by setting the MICROSOFT_EXECUTABLE score
> to 5. This only seems to work for about 75% of the stuff since in
> many cases, the attchment is empty. One would expect that worm writers
> knew how to send mails by now...
Between that and Bayesian training, I'm getting 'em all now. Finally.
I'd written a procmail rule to capture any executables which managed to
slip past. I use this with the "spamfilter" package of procmail
recipies and a couple of utilities based on Lars Wirzenius's procmail
filters.
The rule checks against a whitelist, notes executable attachments,
trains against spamassassin, the dumps the mail in a "Virus" folder. I
apply this _after_ standard spamassassin filtering. I was getting some
mail slipping through, not sure why.
WINDOWS_EXECUTABLE_EXT=(ADE|ADP|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DLL|DO.|EXE|HLP|HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|OCX|PCD|PIF|POT|PPT|REG|SCR|SCT|SHB|SHS|SYS|SYS|URL|VB|VBE|VBS|WSC|WSF|WSH|XL.)
:0B
* ^Content-Type: [A-z][-A-z]*\/[A-z][-A-z]*; name=['"]*[^ ][^ ]*\.$WINDOWS_EXECUTABLE_EXT['"]*
{
:0c
| ! chkmail --header "From|Sender" $WHITELIST
:0a
{
LOG="(Virus!: MSFT executable"
# Train spamassassin
:0c
| sa-learn --spam --single
:0:
Virus/
}
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Defeat EU Software Patents! http://swpat.ffii.org/
Attachment:
signature.asc
Description: Digital signature