Re: [SAtalk] New virus posing as Microsoft

2003-09-23 Thread Ron Johnson
On Tue, 2003-09-23 at 22:56, Rob Chanter wrote: > On Sat, Sep 20, 2003 at 09:30:27AM -0400, Steven W. Orr wrote: > [snip] > You can block mail at (basically) four points during mail reception: > > * During the HELO/EHLO > * During or after you receive envelope information > * At the *end* of data

Re: [SAtalk] New virus posing as Microsoft

2003-09-23 Thread Rob Chanter
On Sat, Sep 20, 2003 at 09:30:27AM -0400, Steven W. Orr wrote: > > Ok. Maybe there's another explanation. See, SA can be used by lots of > different people. Trolls included. Not everyone uses SA by piping it > through procmail. I know; the better people do it that way, but I prefer > to reject

Re: [SAtalk] New virus posing as Microsoft

2003-09-21 Thread Kenneth Porter
--On Saturday, September 20, 2003 11:37 AM -0400 "Steven W. Orr" <[EMAIL PROTECTED]> wrote: By using spamass-milter you have the option of rejecting the message before reception completes. This way, the spammer knows that you have rejected his message and that you have not received it. Nope, he p

RE: [SAtalk] New virus posing as Microsoft

2003-09-21 Thread Bob Sully
On Sat, 20 Sep 2003, Larry Gilson wrote: > I think the rule below should work. Give it a try. > > body MY_BAD_ATTACHMENTS /name=.*\.(com|pif|scr|exe|bat)("|$)/I > > I have found that 'filename=' does not always work so I shortened it to > 'name='. You guys are re-inventing the wheel, thoug

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Jim
On Sat, Sep 20, 2003 at 10:05:30AM -0400, Bruce Pennypacker wrote: > But the spamass-milter for sendmail DOES let you block e-mail if the SA > score is high enough. Steven may not have been entirely clear about > that, Right. And the problem is that it sounded exactly like all the other times

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Jim
On Sat, Sep 20, 2003 at 11:37:09AM -0400, Steven W. Orr wrote: > SA does not block mail. It tags mail. Then you can do whatever you want > with that tagging. Precisely. > By using spamass-milter you have the option of rejecting the > message before reception completes. This way, the spammer kn

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Jim
On Sat, Sep 20, 2003 at 11:23:32AM -0400, Larry Gilson wrote: > However, not everyone > uses Procmail. So for those who do not use an AV product and do not use > Procmail, it is certainly reasonable to try to accomplish this with SA > regardless of your configuration. Posting a request to see if

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Steven W. Orr
On Saturday, Sep 20th 2003 at 15:12 -, quoth Jim: =>On Sat, Sep 20, 2003 at 10:05:42AM -0500, Jack L. Stone wrote: =>> At the risk of being snapped at, I use apamass-milter to block at a certain =>> spam threshhold. So, doesn't it get that score weight from SA.??? I'm =>> blocking a huge a

RE: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Larry Gilson
Along this thread . . . Not everyone uses an anti-virus package. I run a Postfix relay in front of Exchange servers. I use Sybari AV on the Exchange side which allows me to use up to 4 separate scan engines and apply in multiple locations of transport. Each scan location allows for custom weigh

RE: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Larry Gilson
> -Original Message- > From: Steven W. Orr > Also, if anyone else would like to take a stab at a recipe > for what I'm describing I'd still be grateful. I'm getting about > 10/hour of these things. I keep on running them all through sa- > learn but that doesn't help because they don't

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Jim
On Sat, Sep 20, 2003 at 10:05:42AM -0500, Jack L. Stone wrote: > At the risk of being snapped at, I use apamass-milter to block at a certain > spam threshhold. So, doesn't it get that score weight from SA.??? I'm > blocking a huge amount of spams with spamass-milter this way. That stops > them

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Jack L. Stone
At 01:35 PM 9.20.2003 +, Jim wrote: >On Sat, Sep 20, 2003 at 09:30:27AM -0400, Steven W. Orr wrote: >> So what I was asking for was a rule to add to my local.cf which would >> recognize the fact that the remaining elements of the virus that're >> getting through contain a MIME attachment of t

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Jim
On Sat, Sep 20, 2003 at 10:03:09AM -0400, Bruce Pennypacker wrote: > also block obvious spam if the SA score is extremely high. It's a > feature of the spamass-milter for sendmail. That's fine, but that wasn't what he asked about explicitly; and he can't expect everyone to run and look up how sp

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Bruce Pennypacker
Steven W. Orr wrote: On Saturday, Sep 20th 2003 at 03:47 -, quoth Jim: =>On Fri, Sep 19, 2003 at 10:56:19PM -0400, Steven W. Orr wrote: =>> No. I'm running sendmail with spamass-milter. I don not want to do it in =>> procmail or postfix. I want to do it in SA. => =>Then you either don't yet u

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Bruce Pennypacker
Jim wrote: On Sat, Sep 20, 2003 at 09:30:27AM -0400, Steven W. Orr wrote: So what I was asking for was a rule to add to my local.cf which would recognize the fact that the remaining elements of the virus that're getting through contain a MIME attachment of type Application/X-MSDOWNLOAD and the

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Jim
On Sat, Sep 20, 2003 at 09:30:27AM -0400, Steven W. Orr wrote: > So what I was asking for was a rule to add to my local.cf which would > recognize the fact that the remaining elements of the virus that're > getting through contain a MIME attachment of type Application/X-MSDOWNLOAD > and the file

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Steven W. Orr
On Saturday, Sep 20th 2003 at 03:47 -, quoth Jim: =>On Fri, Sep 19, 2003 at 10:56:19PM -0400, Steven W. Orr wrote: =>> No. I'm running sendmail with spamass-milter. I don not want to do it in =>> procmail or postfix. I want to do it in SA. => =>Then you either don't yet understand what SA is

Re: [SAtalk] New virus posing as Microsoft

2003-09-20 Thread Christopher X. Candreva
On Fri, 19 Sep 2003, Steven W. Orr wrote: > But I don't want to block with a procmail rule. I want to block it with an > SA rule. In fact, I don't even use procmail. I use spamass-milter. I want > all my spam to be rejected before it gets in. I realize this isn't what you asked for, but this is t

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Jim
On Fri, Sep 19, 2003 at 10:56:19PM -0400, Steven W. Orr wrote: > No. I'm running sendmail with spamass-milter. I don not want to do it in > procmail or postfix. I want to do it in SA. Then you either don't yet understand what SA is for, or you are a troll. --

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Steven W. Orr
On Friday, Sep 19th 2003 at 10:54 -0400, quoth Forrest Aldrich: =>This new virus appears to generate many (random?) subjects, so it's getting =>difficult to narrow down. => =>Has anyone filters for Spamassassin that will correctly identify this =>virus? I'd like to score this one high so they a

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Bob Proulx
Jon Gabrielson wrote: > Here is my procmail rule: > > :0B > * Content-Type: application|Content-Type: audio > * name=".*.pif"|name=".*.scr"|name=".*.exe"|name=".*.com" > /tmp/viruses Thanks for sharing that. But also a nit. '.' matches any character. So '.*.' is the same as '.*'. You probably

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Steven W. Orr
On Saturday, Sep 20th 2003 at 04:44 +0200, quoth Jim Knuth: =>Hallo Steven W. Orr, => =>> But I don't want to block with a procmail rule. I want to block it with an =>> SA rule. In fact, I don't even use procmail. I use spamass-milter. I want =>> all my spam to be rejected before it gets in. => =>

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Bob Apthorpe
Hi, On Fri, 19 Sep 2003, Forrest Aldrich wrote: > This new virus appears to generate many (random?) subjects, so it's getting > difficult to narrow down. > > Has anyone filters for Spamassassin that will correctly identify this > virus? I'd like to score this one high so they are rejected (via >

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Jim Knuth
Hallo Steven W. Orr, am Samstag, 20. September 2003, 04:07:16, schriebst Du: > On Friday, Sep 19th 2003 at 16:09 -0500, quoth Jon Gabrielson: =>>Just block =>> =>>name="*.scr" and name="*.exe" =>> =>>you should probably be blocking these anyways. =>> =>>Anyone who needs to send an exe can easily

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Steven W. Orr
On Friday, Sep 19th 2003 at 16:09 -0500, quoth Jon Gabrielson: =>Just block => =>name="*.scr" and name="*.exe" => =>you should probably be blocking these anyways. => =>Anyone who needs to send an exe can easily just zip it. => =>Here is my procmail rule: => =>:0B =>* Content-Type: application|Cont

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Jon Gabrielson
Just block name="*.scr" and name="*.exe" you should probably be blocking these anyways. Anyone who needs to send an exe can easily just zip it. Here is my procmail rule: :0B * Content-Type: application|Content-Type: audio * name=".*.pif"|name=".*.scr"|name=".*.exe"|name=".*.com" /tmp/viruses

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Jon Gabrielson
Just block name="*.scr" and name="*.exe" you should probably be blocking these anyways. Anyone who needs to send an exe can easily just zip it. Here is my procmail rule: :0B * Content-Type: application|Content-Type: audio * name=".*.pif"|name=".*.scr"|name=".*.exe"|name=".*.com" /tmp/viruses

RE: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Larry Gilson
I have not seen one specific From/To/Subject pattern to catch a rule on. The only thing this virus has in common is a '.exe'. Interestingly enough, it seems that all the really bad worms have attachments that are .bat, .pif, .scr, .exe, or .com. Most of the fairly tame ones hide in other document

[SAtalk] New virus posing as Microsoft

2003-09-19 Thread Forrest Aldrich
This new virus appears to generate many (random?) subjects, so it's getting difficult to narrow down. Has anyone filters for Spamassassin that will correctly identify this virus? I'd like to score this one high so they are rejected (via spamass-milter)... it's been a huge problem all day. The

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Peter Campion-Bye
> This new virus appears to generate many (random?) subjects, so it's > getting > difficult to narrow down. > > Has anyone filters for Spamassassin that will correctly identify this > virus? I'd like to score this one high so they are rejected (via > spamass-milter)... it's been a huge problem all

Re: [SAtalk] New virus posing as Microsoft

2003-09-19 Thread Steve Prior
I believe that the emails will all claim to be from a microsoft support address which might be a part of the solution. Other things which might also bump up the score would be "cumulative patch", "eliminates all known security vulnerabilities" (insert sarcasm here), and "This update". Steve Fo

[SAtalk] New virus posing as Microsoft

2003-09-19 Thread Forrest Aldrich
This new virus appears to generate many (random?) subjects, so it's getting difficult to narrow down. Has anyone filters for Spamassassin that will correctly identify this virus? I'd like to score this one high so they are rejected (via spamass-milter)... it's been a huge problem all day. The