On Fri, May 17, 2002 at 11:44:30AM -0700, Michael C. Berch wrote: | Just in the last week, the number of messages with what I assume to be | the Klez virus or a variant has exploded, at least for me. Since we | have no Windows machines I don't pay a lot of attention to email viruses | and other malware, but I'm getting 20+ a day, all different insofar as | From and Subject headers, and I just want to kill them as spam.
Many people feel as you do -- they don't care about the worm, they
just hate the waste of resources.
| Has anyone written a local rule for this?
Yep.
| I have just now started
| looking at the messages closely, and the key part seems to be an
| attachment of type audio/x-wav, with a filename of *.(?:pif|scr|exe|bat).
| I can't imagine anyone sending a legitimate attachment with those
| criteria, so it should have a fairly high score, if not an automatic
| trap.
Precisely. The other identifying feature is an <iframe> tag in the
HTML body. MS Outhouse is dumb enough to say "'x-wav' (or 'x-audio')
is safe content, I can _execute_ that". (No, it does not open your
handler on it, it executes it directly, and the extension takes over
and trashes the trash system)
I have this in my exim system filter :
if
"$message_body $message_body_end"
matches "Content-.*audio/x-wav.*\.(?:pif|exe)"
or
"$message_body $message_body_end"
matches "Content-.*audio/x-mid.*\.(?:scr|exe)"
or
"$message_body $message_body_end"
matches "<iframe.*</iframe>"
then
fail "<<klez (sender: $sender_address) (From: $h_From:)>> \
This message has been rejected because the body contains \n\
text that appears to be MIME Content-Type: headers used by KLEZ.\n\
If you intended to send the data then please gzip it and resend it."
seen finish
endif
| Question: does SA consider MIME sub-headers to be "header" or "body"?
| They are in the traditional RFC822 message body, but they're actually
| headers.
Body. SA doesn't have real MIME parsing yet.
| The other one I just get over and over and finally wrote a rule for is
| something with "Snowhite" and the 7 dwarves, and an attachment that is
| usually an .exe file. I'm just scoring anything with /snowhite/i and
| an attachment as probable spam.
The Snowhite worm is old. I haven't seen that in a long time. (was
that one named Sircam?) The last time I saw it was before I had a
good filter system.
-D
--
"Wipe Info uses hexadecimal values to wipe files. This provides more
security than wiping with decimal values." -- Norton SystemWorks 2002 Manual
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
msg05126/pgp00000.pgp
Description: PGP signature
