[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mymail worm



On Wed, Feb 04, 2004 at 01:59:32AM +0000, Antony Gelberg wrote:
> Hi all,
> 
> I haven't been around for a bit - had to unsub whilst I was waiting for
> ADSL in my new flat.  I was wondering - I have the following in my
> procmailrc to kill the last but one main virus that was going around:
> :0
> * > 140000
> * < 165000
> {
> :0 BD
> * b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv
> /dev/null
> }
> 
> Anyone have a similar rule to nuke this new mymail worm?  I have some
> samples if anyone can tell me how to analyse them to paste the correct
> thing in the BD line.

This beastie doesn't set the Message-Id: header. I find I can zap it
quite happily by looking for Message-Id: headers that have been added
by my ISP's mail relay; the following mailfilter rule works:

  DENY=^Message-Id:.*<.*@store[0-9]\.mail\.uk\.easynet\.net>

...adjust to fit your ISP's relay and translate to procmailese.

-- 
Pigeon

Be kind to pigeons
Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F

Attachment: pgp1nv6nzfgX_.pgp
Description: PGP signature


Reply to: