Procmail for swen?
Chris Devers
cdevers at pobox.com
Wed Sep 24 21:05:26 EDT 2003
On Sat, 20 Sep 2003, Duane Morin wrote:
> Ok, I can't take it anymore. Anybody got some procmail rules for
> killing incoming swen mail? I've got north antivirus but that's
> installed on my windows machine -- I check 90% of my email on a linux
> console.
It's late of course, but here's the recipe Randal Schwartz posted when
this question came up on another list:
Date: 22 Sep 2003 09:24:59 -0700
From: Randal L. Schwartz <merlyn at stonehenge.com>
To: Rick <rick at fu2k.org>
Subject: Re: (void) worm signature for procmail
>>>>> "Rick" == Rick <rick at fu2k.org> writes:
Rick> Anybody got a signature for the Swen worm that I can plug into
Rick> procmail? Its starting to pick up the pace and get on my tits.
Rick> I have had a look around but cant find one yet so any pointers
Rick> would be appreciated.
I'm using this with pretty good success against both SWEN and SOBIG:
# http://www.xs4all.nl/~rsmith/spamblock.html
# gaaaah!
:0 BHh
* ^Content-Type: multipart/(mixed|alternative)
* ^Content-Type:.*(audio/x-|application|x-rasmol)
* name=.*\.(scr|com|bat|pif|lnk|exe)
$HOME/sobig.f
Of course, it traps *any* MS executable, but you shouldn't be getting
those anyway, right?
The headers end up in the file (anachronistically named here).
--
Randal L. Schwartz
[rest of his .sig snipped]
Looks like a decent, general purpose solution to me.
--
Chris Devers
More information about the Discuss
mailing list