Re: mymail worm

To: debian-user@lists.debian.org
Subject: Re: mymail worm
From: "Jacob S." <stormspotter@6texans.net>
Date: Tue, 3 Feb 2004 21:06:30 -0600
Message-id: <[🔎] 20040203210630.50cceee4.stormspotter@6texans.net>
In-reply-to: <[🔎] 20040204015932.GB25786@brain.pulsesol.com>
References: <[🔎] 20040204015932.GB25786@brain.pulsesol.com>

On Wed, 4 Feb 2004 01:59:32 +0000
Antony Gelberg <antony@antgel.co.uk> wrote:

<snip>
> Anyone have a similar rule to nuke this new mymail worm?  I have some
> samples if anyone can tell me how to analyse them to paste the correct
> thing in the BD line.

Hello Antony,

Here's a snip from one of my procmail rc files containing the rules I
use for mydoom. You could easily add two lines to the beginning of each
rule so it only runs on certain size messages. Something like this
should do it:

* > 20000
* < 40000

I setup my filters to deliver to a special mailbox to start with -
they've been running several days without an FP though, so it
should be safe to set $VIRUS to point to /dev/null.

# The following will catch Mimail.Q, MiMail.R, Mydoom, Novarg, Shimg
# and automatically filter them - as seen on spamprobe mailing list
# from 'Jem'
# http://sourceforge.net/mailarchive/forum.php?thread_id=3781344&forum_id=11958
# & http://wpbl.pc9.org/procmailrc
# Last updated 2004-01-27 21:30 CST

:0 B
* ^Content-Transfer-Encoding: base64
* b2br8E5jDS9ta3Boz9e9b7p4LmIPZ29sZC1QeGO8JMOYYWZlJUNiNafjMNhDo3DzdoW7aK
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* Y3liZXJlYnpReXQzt/gt2DJcGUNqcm9GdmtGerq//fZna0YwU2duZnh6Fy5ya3IARwtaKz
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* MNhDo3DzdoW7aK3QWmeLBluvgjl3WCtkDycfaxBbttaliR90aUqMksHRN3S2K58b2OG1bm
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* L2DHhtACuvdg5mwKCwJSjUYIVrKzx05c9wF1FBJYOcIbFl4tP1tAjWwkjEILL5nkiABgfX
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* IGYQqy4g1qORYNsPYRttqCAoagNXaCDvG89sWatHcBBPJB6o0UYq/2lFZpRr3dasC2QQaE
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* KO35/8b/9nwKf0fDana5mf5drmxazU4b64lxjvwb/f//8fYGfHlcE7FPIfVU9StifaRjcL
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
{
 :0
 $VIRUS
}

:0 B
* ^Content-Transfer-Encoding: base64
* V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
{
 :0
 $VIRUS
}

HTH,
Jacob

----- 
GnuPG Key: 1024D/16377135

Slight disorientation after prolonged system uptime is normal for new
Linux users. Please do not adjust your browser.

Attachment: pgp6nfOTdezbE.pgp
Description: PGP signature

Reply to:

References:
- mymail worm
  - From: Antony Gelberg <antony@antgel.co.uk>

Prev by Date: mymail worm
Next by Date: Font Mystery
Previous by thread: mymail worm
Next by thread: Re: mymail worm
Index(es):
- Date
- Thread