[Qmail-scanner-general]Blocking Sobig without notifing the sender

Salvatore Toribio Wed, 27 Aug 2003 13:58:28 +0000

There is another way to deal with Sobig virus blocking the attached pif file without sending a notify to the forged sender.

As you could read at <http://www.sophos.com/virusinfo/analyses/w32sobigf.html> Sobig usually send an attachment with one of these names:

movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif

So you could add in your quarantine-attachments.txt file these lines before the line that blocks pif files:

movie0045.pif   0       Sobig Virus
wicked_scr.scr  0       Sobig Virus
application.pif 0       Sobig Virus
document_9446.pif       0       Sobig Virus
details.pif     0       Sobig Virus
your_details.pif        0       Sobig Virus
thank_you.pif   0       Sobig Virus
document_all.pif        0       Sobig Virus
your_document.pif       0       Sobig Virus

I've test it sending an innocuous file named "movie0045.pif" and here is the log:

......... 26/08/2003 15:50:49:24914: p_s: checking movie0045.pif against perlscanner database... 26/08/2003 15:50:49:24914: p_s: file movie0045.pif is lowercased to movie0045.pif and has extension .pif 26/08/2003 15:50:49:24914: p_s: compare movie0045.pif against perlscanner database 26/08/2003 15:50:49:24914: p_s: Quarantine movie0045.pif! (Sobig Virus) .......... 26/08/2003 15:50:49:24914: v_v_t_r: called with Sobig Virus 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain klez? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain bugbear? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain hybris? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain yaha? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain braid? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain nimda? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain tanatos? 26/08/2003 15:50:49:24914: v_v_t_r: does Sobig Virus contain sobig? 26/08/2003 15:50:49:24914: v_v_t_r: yes it does! - so don't notify the sender 26/08/2003 15:50:49:24914: n_a: notify_addr (set to sender,admin) called with admin ...........

And obviously the sender (me) wasn't notified.

Regards

Salvatore

PS: The list didn't accept this messages from me yesterday, maybe the list was using "relays.osirusoft.com" as me...

Failed to deliver your message to [EMAIL PROTECTED]:
SMTP: Address rejected by host
Host 'mail.sourceforge.net' says:
451 Talk to your mail administrator for details.

In the other hand I can't talk to my mail administrator, because I am the mail administrator. ;-)


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

[Qmail-scanner-general]Blocking Sobig without notifing the sender

Reply via email to