[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mymail worm

Brian Potkin(brian@copernicus.demon.co.uk) is reported to have said:
> On Wed, Feb 04, 2004 at 02:10:55PM +0000, Pigeon wrote:
> > On Wed, Feb 04, 2004 at 01:59:32AM +0000, Antony Gelberg wrote:
> [Snip]
> > > Anyone have a similar rule to nuke this new mymail worm?  I have some
> > > samples if anyone can tell me how to analyse them to paste the correct
> > > thing in the BD line.
> > 
> > This beastie doesn't set the Message-Id: header. I find I can zap it
> > quite happily by looking for Message-Id: headers that have been added
> > by my ISP's mail relay; the following mailfilter rule works:
> > 
> >   DENY=^Message-Id:.*<.*@store[0-9]\.mail\.uk\.easynet\.net>
> > 
> > ...adjust to fit your ISP's relay and translate to procmailese.
> I use an identical rule in my mailfilterrc, or did until five minutes
> ago.  Its now commented out.
> Its usefulness in deleting spam and mail associated with the mymail worm
> before downloading it has been offset by the deletion of a small number
> of legitimate mails, including one a few minutes ago.  The originating
> mail server should have added a Message-Id but for some reason some
> don't.  Effective the rule might have been but I'd rather not lose mail.

So use the rule with SCORE instead of DENY.  If it's ligit mail other
score rules will let it pass.

I have yet to see any ligit mail get through (and I check daily) in
well over 3 months of use.

Any programming language is at its best before it is implemented and

Reply to: