on Fri, Sep 19, 2003 at 03:30:43PM +0200, Nicos Gollan ([EMAIL PROTECTED]) wrote: > On Friday 19 September 2003 05:33, Kirk Strauser wrote: > > I don't know what's going on, but I've been getting literally > > hundreds of virus/worm-looking emails per hour all day today. I > > grew tired of it and wrote the following Sieve script to filter my > > mail on the server. > > I tried it with SpamAssassin by setting the MICROSOFT_EXECUTABLE score > to 5. This only seems to work for about 75% of the stuff since in > many cases, the attchment is empty. One would expect that worm writers > knew how to send mails by now...
Between that and Bayesian training, I'm getting 'em all now. Finally. I'd written a procmail rule to capture any executables which managed to slip past. I use this with the "spamfilter" package of procmail recipies and a couple of utilities based on Lars Wirzenius's procmail filters. The rule checks against a whitelist, notes executable attachments, trains against spamassassin, the dumps the mail in a "Virus" folder. I apply this _after_ standard spamassassin filtering. I was getting some mail slipping through, not sure why. WINDOWS_EXECUTABLE_EXT=(ADE|ADP|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DLL|DO.|EXE|HLP|HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|OCX|PCD|PIF|POT|PPT|REG|SCR|SCT|SHB|SHS|SYS|SYS|URL|VB|VBE|VBS|WSC|WSF|WSH|XL.) :0B * ^Content-Type: [A-z][-A-z]*\/[A-z][-A-z]*; name=['"]*[^ ][^ ]*\.$WINDOWS_EXECUTABLE_EXT['"]* { :0c | ! chkmail --header "From|Sender" $WHITELIST :0a { LOG="(Virus!: MSFT executable" # Train spamassassin :0c | sa-learn --spam --single :0: Virus/ } Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Defeat EU Software Patents! http://swpat.ffii.org/
signature.asc
Description: Digital signature