[SAtalk] core DONOT_REPLY 1.5

Fri, 19 Sep 2003 15:31:45 -0700 

   Forrest Aldrich asks:

> This new virus appears to generate many (random?) subjects, so it's getting 
> difficult to narrow down.
> 
> Has anyone filters for Spamassassin that will correctly identify this 
> virus?  I'd like to score this one high so they are rejected (via 
> spamass-milter)... it's been a huge problem all day.

   I created three rules to catch it.  I suppose I should have done
them as a meta-rule but I'm lazy.

   Here they are:

body  RUN_ATTACHED              /Run.{1,6}attached file/i
describe RUN_ATTACHED           Asks the recipient to run the attached file.

rawbody MS_LINK                 /http:\/\/support.microsoft.com\//i
describe MS_LINK                Links back to Microsoft.com

body PROTECT_YR_CPU             /protect your computer/i
describe PROTECT_YR_CPU         Yaps about protecting your computer

score RUN_ATTACHED              1.5
score MS_LINK                   0.35
score PROTECT_YR_CPU            0.75


   For good measure, since there's been a remark about not
replying to the e-mail in question, I also created two more:


body UNMONITORED_EMAIL          /unmonitored e-mail address/i
describe UNMONITORED_EMAIL      States that the address is not monitored

body DONOT_REPLY                /do not reply to this message/i
describe DONOT_REPLY            Asks that the receiver not reply to this message

score UNMONITORED_EMAIL         3.7
score DONOT_REPLY               1.5


   Yes, I know that the 3.7 for "UNMONITORED_EMAIL" seems a wee on
the high side, but I really can't imagine a human using that syntax
in an inter-personal e-mail unless he's talking about filtering
rules (and there you have a chicken-and-egg problem).

   For what it's worth, I've looked a _real_ notes from MS, and this
week's says that there's a hoax going around and it's not from them.
The wording and grammar are quire different from that of the worm.

   I hate social engineers....

+------------------------------------------------+---------------------+
| Carl Richard Friend (UNIX Sysadmin)            | West Boylston       |
| Minicomputer Collector / Enthusiast            | Massachusetts, USA  |
| mailto:[EMAIL PROTECTED]                        +---------------------+
| http://users.rcn.com/crfriend/museum           | ICBM: 42:22N 71:47W |
+------------------------------------------------+---------------------+


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to