Date: Tue, 27 Nov 2001 10:58:45 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: The Stupid Virus going arround. Message-ID: <20011127155844.GD36710@keyslapper.org> In-Reply-To: <20011127144157.GA12429@rhadamanth> References: <012101c17750$94e047e0$a50410ac@olmct.net> <20011127144157.GA12429@rhadamanth>
next in thread | previous in thread | raw e-mail | index | archive | help
--Km1U/tdNT/EmXiR1
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 11/27/01 02:41 PM, setantae sat at the `puter and typed:
> On Tue, Nov 27, 2001 at 09:34:11AM -0500, Andre` Niel Cameron wrote:
> > The next time I get this thing I am sending everyone a copy a Norton;)
> > Everyone knows someone stuck a virus on the list, most of us have Anti =
Virus
> > software some do not I think those who do not need to goto download.com=
and
> > get some as you keep sending the virus to the list. Just a thought.
>=20
> Did anyone knock out a procmail recipe for it yet ?
>=20
> If so, could you share it please ?
>=20
> Thanks,
>=20
> Ceri
This was recently shared on the procmail users list:
# Trap BadTrans? (signature as of 11/26/2001)
#
:0
* > 40000
* < 50000
* ^Subject:.*Re:
*
^Content-Type:.*multipart/related;.*"multipart/alternative";.*boundary=3D"=
=3D=3D=3D=3D_ABC1234567890DEF_=3D=3D=3D=3D"
{
:0 B hfi
* ^Content-Type: audio/x-wav;
* ^Content-ID: <EA4DMGBP9p>
* ^Content-Transfer-Encoding: base64
| formail -Y -f -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans worm - see htt=
p://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html"
}
:0A
{ FOLDER=3Dspam }
The first recipe will set headers to tell you that it is the worm, the
second can be used to redirect it. I'm just dumping it into a spam
folder with the other cr@p, but you may want to /dev/null or bounce
it.
The key is the Content-Type header. Apparently it always uses the same
mime types and the same boundary - with the quotes.
HTH
Lou
--=20
Louis LeBlanc leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org =D4=BF=D4=AC
The goal of science is to build better mousetraps. The goal of nature
is to build better mice.
--Km1U/tdNT/EmXiR1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8A7g0eAPWYrNkRWIRAnW1AJ4hUQpssBtgfHuOTU9kgoCqRGQMvwCfaseF
p002zEOlj+2Qw85re+954gQ=
=7rRN
-----END PGP SIGNATURE-----
--Km1U/tdNT/EmXiR1--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011127155844.GD36710>