Re: [vox-tech] Virus deluge

[Karsten M. Self]

on Thu, Jan 29, 2004 at 03:49:10PM -0800, Henry House ([EMAIL PROTECTED]) wrote:
> P? torsdag, 29 januari 2004, skrev Karsten M. Self:
> [...]
> > : *after* '0' indicates a lockfile.  Any rule that writes to a file
> > _should_ use a lockfile.  Rules which invoke a program '| command'
> > or delivery '! address' _don't_ need a lockfile.
> 
> Note that no lock file is needed or desirable when delivering to a maildir
> (maildirs are so designed that they require no locking). Recent versions of
> procmail understand a trailing slash on a mailbox name to mean that it is a
> maildir. Procmail will create a non-existant maildir on the fly.

Thanks.  I was wondering as I wrote that (and understand the principle
behind Maildir -- it's a qmailism), but was too lazy to check/verify.



Peace.

-- 
Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
Ceterum censeo, Caldera delenda est.
SCO vs IBM Linux lawsuit info:  http://sco.iwethey.org


signature.asc
Description: Digital signature

Re: [vox-tech] Virus deluge

[Henry House]

På torsdag, 29 januari 2004, skrev Karsten M. Self:
[...]
> : *after* '0' indicates a lockfile.  Any rule that writes to a file
> _should_ use a lockfile.  Rules which invoke a program '| command'
> or delivery '! address' _don't_ need a lockfile.

Note that no lock file is needed or desirable when delivering to a maildir
(maildirs are so designed that they require no locking). Recent versions of
procmail understand a trailing slash on a mailbox name to mean that it is a
maildir. Procmail will create a non-existant maildir on the fly.

> For more information:  man procmail; man procmailrc; man procmailex

These man pages are excellent---much more readable than the standard terse
man page. The last named is a page of examples.


-- 
Henry House
The unintelligible text that may follow is a digital signature. 
See  for information.  My OpenPGP key:
.



signature.asc
Description: Digital signature

Re: [vox-tech] Virus deluge

[Karsten M. Self]

on Tue, Jan 27, 2004 at 10:39:17PM -0800, Mark K. Kim ([EMAIL PROTECTED]) wrote:
> On Tue, 27 Jan 2004, Karsten M. Self wrote:
> 
> > > 
> > > :0 B
> > > * -1
> > > * 1^0 ^Content-Transfer-Encoding: base64
> > > * 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
> > > * 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
> > > * 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
> > > * 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
> > > * 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
> > > * 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
> > > {
> > > LOG="LOG: Virus: (Mydoom / Novar)"
> > >
> > > :0:
> > > Virus/
> > > }
> > > 
> 
> I'm new to procmail so can I ask some questions?
> 
> What do ":0 B", "-1", and "1^0" do?  Does LOG do anything?

Peter got most of this.

: starts a recipie.  Used to be that  was (IIRC) the
number of lines in the recipie.  Now it's typically set to 0, and has no
special significance.

'B' scans body

: *after* '0' indicates a lockfile.  Any rule that writes to a file
_should_ use a lockfile.  Rules which invoke a program '| command'
or delivery '! address' _don't_ need a lockfile.

For more information:  man procmail; man procmailrc; man procmailex



* 
* ^

...are scoring rules.  The first number says what to add.  The
second says when to add it, and by how much.  I understand this only
vaguely.  

Essentially:

  - No trailing value means "apply this score once in the evaluation of
this recipie".

  - A trailing '0' means "apply this score once and only once if it is
matched"

  - A trialing '1' means "add the score for *each* occurance of a match.

  - 0  Thanks!  The rules seem to be working so far...

NP.


Peace.

-- 
Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Sick of mal-formed websites?  A stylesheet to override poor design:
 http://twiki.iwethey.org/Main/UserContentCSS


signature.asc
Description: Digital signature

Re: [vox-tech] Virus deluge

[Rod Roark]

On Wednesday 28 January 2004 11:18 pm, Samuel N. Merritt wrote:
...
> Something that plays nicely with this is to set 
> 
> local_recipient_maps = $alias_maps, unix:passwd.byname
> 
> so that messages to invalid recipients get rejected in the SMTP
> conversation. By default on Debian Woody (postfix 1.1.11), messages get
> accepted for any user, and if the user is invalid, Postfix generates a
> bounce message and sends it out. 
> 
> Rejecting the message early saves 2*(message size) in bandwidth. This
> gets significant with large worms. 

Interesting!  Although for me this does not really apply,
as all my published domains are virtual domains, for which
Postfix already rejects invalid users at SMTP time.

> Note that this is now the default in Postfix 2.0. (About time, IMHO.) It
> used to be a FAQ back in the Postfix 1.x days, but it took me a fair bit
> of Googling before I found an old Postfix 1.x FAQ that explained it. 
> 
> That old FAQ is at
> . 

Nice link - a good one to bookmark.

By the way. a quick check tells me that since Sunday afternoon
my server has rejected 2,664 attempts to deliver the MyDoom/Novarg
virus.  That's just with body_checks and does not include normal
spam blocking based on source IP.  Total rejections are 6,198.

-- Rod

___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] Virus deluge

[Samuel N. Merritt]

On Tue, Jan 27, 2004 at 05:35:12AM -0800, Rod Roark wrote:
> I just created and installed a Postfix remedy for the latest
> MS malware outbreak, and thought I'd pass it on.  I'm seeing
> a VERY high rate of connections from machines infected with
> this stuff.
> 
> In main.cf, insert this:
> 
> body_checks=pcre:/etc/postfix/virus_body_checks
> 
> Create a file virus_body_checks containing this:
> 
> /^TVqQAAME\/\/8AALg/ REJECT Emails with Microsoft executable attachments are 
> not allowed here.
> /^UEsDBAoAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a 
> virus.
> 
> If anyone has an improved solution, let me know, but this
> seems to work.

Thanks! It's working for me. The attachments come in, but they don't
even hit procmail. 

Something that plays nicely with this is to set 

local_recipient_maps = $alias_maps, unix:passwd.byname

so that messages to invalid recipients get rejected in the SMTP
conversation. By default on Debian Woody (postfix 1.1.11), messages get
accepted for any user, and if the user is invalid, Postfix generates a
bounce message and sends it out. 

Rejecting the message early saves 2*(message size) in bandwidth. This
gets significant with large worms. 

Note that this is now the default in Postfix 2.0. (About time, IMHO.) It
used to be a FAQ back in the Postfix 1.x days, but it took me a fair bit
of Googling before I found an old Postfix 1.x FAQ that explained it. 

That old FAQ is at
. 

-- 
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/


pgp0.pgp
Description: PGP signature

Re: [vox-tech] Virus deluge

[Peter Jay Salzman]

On Tue 27 Jan 04, 10:39 PM, Mark K. Kim said:
> On Tue, 27 Jan 2004, Karsten M. Self wrote:
> 
> > > 
> > > :0 B
> > > * -1
> > > * 1^0 ^Content-Transfer-Encoding: base64
> > > * 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
> > > * 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
> > > * 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
> > > * 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
> > > * 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
> > > * 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
> > > {
> > > LOG="LOG: Virus: (Mydoom / Novar)"
> > >
> > > :0:
> > > Virus/
> > > }
> > > 
> 
> I'm new to procmail so can I ask some questions?
> 
> What do ":0 B", "-1", and "1^0" do?  Does LOG do anything?
> 
> Thanks!  The rules seem to be working so far...
> 
> -Mark

hi mark!

:0 B means search just the body.  actually, every recipe starts off
with

   :0 [flags][:]

where [] indicates optional.

next is the -1.  i have no idea what the -1 does, maybe it has something
to do scoring?  i dunno.

1^0 has to do with scoring.  you can score stuff, like spam assassin.
you apply a set of tests, like regexes, and each time, you can assign a
number to either increase or decrease the score.  when you hit the
action line, in this case,

> > > {
> > > LOG="LOG: Virus: (Mydoom / Novar)"
> > >
> > > :0:
> > > Virus/
> > > }

if the score is greater than 0, procmail take the action.  if the score
is less than or equal to 0, you don't take the action.  specifically,
x^y means, add x the first time the condition is matched.  then add x*y
the 2nd time the condition matches.  then add x*y*y the 3rd time the
condition matches, and so on.

so if the line

   Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk

appears once, a score of 1 is added to the overall score.  if it appears
twice or more, no additional points are added to the score.

LOG is a directive to write to a log file.  i believe you have to define
the LOGFILE variable to point to a filepath which will be procmail's
logging file.  you can use the variable VERBOSE to turn on verbosity.

hth,
pete

-- 
Make everything as simple as possible, but no simpler.  -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] Virus deluge

[Mark K. Kim]

On Tue, 27 Jan 2004, Karsten M. Self wrote:

> > 
> > :0 B
> > * -1
> > * 1^0 ^Content-Transfer-Encoding: base64
> > * 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
> > * 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
> > * 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
> > * 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
> > * 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
> > * 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
> > {
> > LOG="LOG: Virus: (Mydoom / Novar)"
> >
> > :0:
> > Virus/
> > }
> > 

I'm new to procmail so can I ask some questions?

What do ":0 B", "-1", and "1^0" do?  Does LOG do anything?

Thanks!  The rules seem to be working so far...

-Mark

-- 
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.jsp?id=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
PGP key available on the homepage
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] Virus deluge

[Karsten M. Self]

on Tue, Jan 27, 2004 at 07:25:42PM -0800, Karsten M. Self ([EMAIL PROTECTED]) wrote:
> on Tue, Jan 27, 2004 at 05:35:12AM -0800, Rod Roark ([EMAIL PROTECTED]) wrote:
> > I just created and installed a Postfix remedy for the latest
> > MS malware outbreak, and thought I'd pass it on.  I'm seeing
> > a VERY high rate of connections from machines infected with
> > this stuff.
> > 
> > In main.cf, insert this:
> > 
> > body_checks=pcre:/etc/postfix/virus_body_checks
> > 
> > Create a file virus_body_checks containing this:
> > 
> > /^TVqQAAME\/\/8AALg/ REJECT Emails with Microsoft executable attachments 
> > are not allowed here.
> > /^UEsDBAoAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain 
> > a virus.
> > 
> > If anyone has an improved solution, let me know, but this
> > seems to work.
> 
> Try:
> 
> 
> :0 B
> * -1
> * 1^0 ^Content-Transfer-Encoding: base64
> * 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
> * 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
> * 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
> * 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
> * 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
> * 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
> {
> LOG="LOG: Virus: (Mydoom / Novar)"
> 
> :0:
> Virus/
> }
> 


...er...

You'll want to anchor those with '^' so you don't get false positives...
...like I did...
...on my own mail...

;-)


Peace.

-- 
Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Geek for hire:  http://kmself.home.netcom.com/resume.html


signature.asc
Description: Digital signature

Re: [vox-tech] Virus deluge

[Karsten M. Self]

on Tue, Jan 27, 2004 at 05:35:12AM -0800, Rod Roark ([EMAIL PROTECTED]) wrote:
> I just created and installed a Postfix remedy for the latest
> MS malware outbreak, and thought I'd pass it on.  I'm seeing
> a VERY high rate of connections from machines infected with
> this stuff.
> 
> In main.cf, insert this:
> 
> body_checks=pcre:/etc/postfix/virus_body_checks
> 
> Create a file virus_body_checks containing this:
> 
> /^TVqQAAME\/\/8AALg/ REJECT Emails with Microsoft executable attachments are 
> not allowed here.
> /^UEsDBAoAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a 
> virus.
> 
> If anyone has an improved solution, let me know, but this
> seems to work.

Try:


:0 B
* -1
* 1^0 ^Content-Transfer-Encoding: base64
* 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
* 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
* 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
* 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
* 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
* 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
{
LOG="LOG: Virus: (Mydoom / Novar)"

:0:
Virus/
}



Peace.

-- 
Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  The revolution will not be televised.
  You can apt-get it from the usual mirrors, however.   http://www.debian.org/


signature.asc
Description: Digital signature

Re: [vox-tech] Virus deluge

[Mark K. Kim]

Nice.  Put it into my procmail.  It's catching quite a few spams.  Some
are still coming through, so it seems like there are a couple variants,
but this certainly helps.  I guess I can catch the others ones with
something similar...

This is the worst MS spam worm so far, at least for my mailbox.

-Mark


On Tue, 27 Jan 2004, Rod Roark wrote:

> I just created and installed a Postfix remedy for the latest
> MS malware outbreak, and thought I'd pass it on.  I'm seeing
> a VERY high rate of connections from machines infected with
> this stuff.
>
> In main.cf, insert this:
>
> body_checks=pcre:/etc/postfix/virus_body_checks
>
> Create a file virus_body_checks containing this:
>
> /^TVqQAAME\/\/8AALg/ REJECT Emails with Microsoft executable attachments are 
> not allowed here.
> /^UEsDBAoAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a 
> virus.
>
> If anyone has an improved solution, let me know, but this
> seems to work.
>
> -- Rod
>
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech
>

-- 
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.jsp?id=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
PGP key available on the homepage
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

[vox-tech] Virus deluge

[Rod Roark]

I just created and installed a Postfix remedy for the latest
MS malware outbreak, and thought I'd pass it on.  I'm seeing
a VERY high rate of connections from machines infected with
this stuff.

In main.cf, insert this:

body_checks=pcre:/etc/postfix/virus_body_checks

Create a file virus_body_checks containing this:

/^TVqQAAME\/\/8AALg/ REJECT Emails with Microsoft executable attachments are 
not allowed here.
/^UEsDBAoAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a 
virus.

If anyone has an improved solution, let me know, but this
seems to work.

-- Rod

___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech