Re: procmail "solution" against swen

To: debian-user@lists.debian.org
Subject: Re: procmail "solution" against swen
From: HdV@DTO.TUDelft.NL
Date: Tue, 23 Sep 2003 00:16:34 +0200 (MEST)
Message-id: <[🔎] Pine.GSO.4.58.0309222347030.22629@sanders.rc.tudelft.nl>
In-reply-to: <[🔎] 20030922134422.GB10007@cattlegrid.net>
References: <[🔎] 1064216721.27134.17.camel@box> <[🔎] Pine.GSO.4.58.0309221104560.26542@sanders.rc.tudelft.nl> <[🔎] 20030922134422.GB10007@cattlegrid.net>

On Mon, 22 Sep 2003, christophe barbe wrote:

> It has the merit to be compact but the inconvenient to read the body.

Which is about the only reliable way to filter it.

> I use the followings procmail rules:
>
>
> :0:
> *> 100000
> *^subject: (undeliverable |undelivered |returned )*(mail|message)(:* (returned to (mail|send)er|user unknown))*
> swen-junk

Not reliable enough for my taste, too much chances of false positives.

> :0:
> *> 100000
> *^subject: (new(est)* |latest |last |current )*(net(work)* |microsoft |internet )*(critical |security )*(pack|patch|update|upgrade)
> swen-junk

This will definitely not catch em all. See below.

> :0:
> *> 100000
> *^subject: (abort|bug|error|failure)* *(advice|announcement|letter|message|notice|report)
> swen-junk

This would catch valid messages for sure in my case.

> This catch all swen mails except those with no subject.

Nope.

Swen composes its subject line from the following words:

Current
Newest
Last
New
Latest
Net
Network
Microsoft
Internet
Critical
Security
Patch
Update
Pack
Upgrade

Below is some perl I used to test my pattern. The regexp (in PCRE)
catches most sensible combinations, but I wouldn't say this is 100%
reliable. The list of subjects has been taken from the only real
swen-messages I got (not too many).

Even if it were 100% reliable for standard swen subjects then it
wouldn't be anymore as soon as a new version made its arrival. I have
seen some messages posing as bounces with different subjects today and
those definitely used 'new' subject words...

So why did I add this PCRE pattern to our postfix? Well, because quite a
lot of 'cleaned' swen messages were sent from other MTAs to our
recipients. Because the exe was stripped RAV wouldn't catch 'em and I
didn't want our people bothered by it. It has been quite succesful
(almost 100 discarded messages in the first hour of its use), but must
be updated for the new faked bounces. This is exactly the catch-up game
I don't like...

#!/usr/bin/perl

use strict;
use warnings;

my @subjects = (
                'Microsoft Internet Update Pack',
                'Last Critical Pack',
                'Newest Network Critical Update',
                'Latest Security Update',
                'Current Network Update',
                'Last Net Patch',
                'New Net Update',
                'Last Critical Upgrade',
                'Current Microsoft Pack',
                'Newest Network Critical Update',
                'Latest Security Update'
               );

foreach (@subjects) {
  $_ = 'Subject: ' . $_;
  if (/^Subject:(\s+(Current|New(est)?|Last|Latest))?(\s+(Net(work)?|Microsoft|Internet|Critical|Security))+((\s+(Update|Upgrade))?(\s+(Patch|Pack))?)\s*$/i) {
    #DISCARD Suspicious subject line: W32/Gibe-F alias Swen
    print "MATCH:    $_\n";
  }
  else {
    print "NO MATCH: $_\n";
  }
}

Grx HdV

Reply to:

Follow-Ups:
- Re: procmail "solution" against swen
  - From: christophe barbe <christophe@cattlegrid.net>

References:
- procmail "solution" against swen
  - From: Olav Lavell <olavell@xs4all.nl>
- Re: procmail "solution" against swen
  - From: HdV@DTO.TUDelft.NL
- Re: procmail "solution" against swen
  - From: christophe barbe <christophe@cattlegrid.net>

Prev by Date: Re: install
Next by Date: Re: MS mail bombs
Previous by thread: Re: procmail "solution" against swen
Next by thread: Re: procmail "solution" against swen
Index(es):
- Date
- Thread