giza | Procmail recipe for the SoBig worm

You're viewing

giza's journal
Create a Dreamwidth Account Learn More

Reload page in style: site light

In case anyone wants to do some filtering of SoBig, which is (still) making the rounds, the following procmail filter will delete all incoming e-mails with the worm:

#
# Filter for the SoBig worm
#
:0
* ^X-MailScanner: Found to be clean
* ^Content-Type: multipart/mixed
/dev/null

Share and enjoy! (Mad props go to Laura Atkins of The SpamCon Foundation, who originally sent it to me)

Current Music: Worms Armageddon: Stats

Flat | Top-Level Comments Only

From:

foxmagic.livejournal.com

Y'mean SoBig always adds a header saying "Found to be clean" to its messages?

How devious... how pointlessly devious, though, 'cos I wonder if anyone or anything pays attention to that header?

From:

duncandahusky.livejournal.com

Actually, it's a nasty bit of work since there is in fact an app called MailScanner and this is generating a bogus "clean" message from it. I don't claim to read procmail filters that well, but if I understand right this is an AND condition - if it has the MailScanner header AND that Content-type header THEN send it to /dev/null.

From:

giza.livejournal.com

Yep. And so far, the only thing that has been caught are copies of SoBig.

My next stupid procmail trick is going to be writing some filters that remove all file attachments from e-mails coming in on the server, and replacing them with a note stating why they were removed. (to protect against viruses)