Quoting Dan Hollis <[EMAIL PROTECTED]>: > > I am curious how network operators are dealing with the latest w32/bagle > variants which seem particularly evil.
We are currenly blocking *all* .zip attachments as a short-term work around, until we can modify our virus scanner to block only password-protected zip files. If anybody has already modified amavisd-new to act in this way, I would appreciate a hand. I'm *not* a perl person, and my first attempt at changing the source code has not had the desired effect. > Also, does anyone have tools for regexp and purging these mails from unix > mailbox (not maildir) mailspool files? Eg purging these mails after the > fact if they were delivered to user's mailboxes before your virus scanner > got a database update. It seems that this virus uses a limited number of subject lines: # E-mail account disabling warning. # E-mail account security warning. # Email account utilization warning. # Important notify about your e-mail account. # Notify about using the e-mail account. # Notify about your e-mail account utilization. # Warning about your e-mail account. There's a script, expire_mail.pl, that's userful for this. It's available at http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used as such: /usr/local/bin/expire_mail.pl -verbose -noreset -subject "[subject of message containing virus]" /var/mail/* Of course, this won't work if/when the virus starts sending out emails with randomized subjects. Let's hope the that the author isn't reading NANOG. :) -Adam
