Re: mymail worm
Brian Potkin(brian@copernicus.demon.co.uk) is reported to have said:
> On Wed, Feb 04, 2004 at 02:10:55PM +0000, Pigeon wrote:
>
> > On Wed, Feb 04, 2004 at 01:59:32AM +0000, Antony Gelberg wrote:
>
> [Snip]
>
> > > Anyone have a similar rule to nuke this new mymail worm? I have some
> > > samples if anyone can tell me how to analyse them to paste the correct
> > > thing in the BD line.
> >
> > This beastie doesn't set the Message-Id: header. I find I can zap it
> > quite happily by looking for Message-Id: headers that have been added
> > by my ISP's mail relay; the following mailfilter rule works:
> >
> > DENY=^Message-Id:.*<.*@store[0-9]\.mail\.uk\.easynet\.net>
> >
> > ...adjust to fit your ISP's relay and translate to procmailese.
>
> I use an identical rule in my mailfilterrc, or did until five minutes
> ago. Its now commented out.
>
> Its usefulness in deleting spam and mail associated with the mymail worm
> before downloading it has been offset by the deletion of a small number
> of legitimate mails, including one a few minutes ago. The originating
> mail server should have added a Message-Id but for some reason some
> don't. Effective the rule might have been but I'd rather not lose mail.
>
So use the rule with SCORE instead of DENY. If it's ligit mail other
score rules will let it pass.
I have yet to see any ligit mail get through (and I check daily) in
well over 3 months of use.
Wayne
--
Any programming language is at its best before it is implemented and
used.
_______________________________________________________
Reply to: