FAQ: Asian spam
Boris 'pi' Piwinger
3.14 at logic.univie.ac.at
Fri Mar 28 10:10:24 CET 2003
"Boris 'pi' Piwinger" <3.14 at logic.univie.ac.at> wrote:
>> ## Silently drop all completely unreadable spam
>> :0
>> * 1^0 ^\/Subject:.*=\?(.*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987|windows-1251|windows-1256)\?
>> * 1^0 ^Content-Type:.*charset="?(.*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987|windows-1251|windows-1256)
>> /dev/null
>
>This fails on multipart, but the fix is too risky I think.
Tony L. Svanstrom <tony at svanstrom.com> could not post to a
list. But he has some recipe that works. Here it is (remove
quotes):
>:0
>* ^Content-Type:[ ]*multipart/.*;[ ]*boundary="\/[^"]+
> {
> :0B
> * $ ^--$\MATCH^Content-Type:[ ]*multipart/.*;^?[ ]*boundary=\"\/.+[^\"]
> { }
> :0Bfw
> * $ ^--$\MATCH^Content-Type:.*^?[ ]*charset[=:\"]*(CharsetA|CharsetB|CharsetEtc)
> | formail -A "x-svanstrom.com: Blacklisted: Charset in MIME!"
> }
pi
Return-Path: <>
Delivered-To: root at osagesoftware.com
Received: by osagesoftware.com (Postfix) via BOUNCE
id 8ED9627ECE; Fri, 28 Mar 2003 04:20:29 -0500 (EST)
Date: Fri, 28 Mar 2003 04:20:29 -0500 (EST)
From: MAILER-DAEMON at osagesoftware.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: root at osagesoftware.com
MIME-Version: 1.0
Content-Type: multipart/report; report-typeÞlivery-status;
boundary="6A73727ECB.1048843229/osagesoftware.com"
Message-Id: <20030328092029.8ED9627ECE at osagesoftware.com>
This is a MIME-encapsulated message.
--6A73727ECB.1048843229/osagesoftware.com
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host osagesoftware.com.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
<admin at nic.osagesoftware.com>: mail for nic.osagesoftware.com loops back to
myself
--6A73727ECB.1048843229/osagesoftware.com
Content-Description: Delivery error report
Content-Type: message/delivery-status
Reporting-MTA: dns; osagesoftware.com
Arrival-Date: Fri, 28 Mar 2003 04:20:18 -0500 (EST)
Final-Recipient: rfc822; admin at nic.osagesoftware.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; mail for nic.osagesoftware.com loops back to myself
--6A73727ECB.1048843229/osagesoftware.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from osage.osagesoftware.com (osage.osagesoftware.com [192.168.1.10])
by osagesoftware.com (Postfix) with ESMTP id 6A73727ECB
for <admin at nic.osagesoftware.com>; Fri, 28 Mar 2003 04:20:18 -0500 (EST)
Received: by osage.osagesoftware.com (Postfix, from userid 0)
id 9DB9114495; Fri, 28 Mar 2003 04:20:14 -0500 (EST)
From: root at osagesoftware.com (Cron Daemon)
To: admin at nic.osagesoftware.com
Subject: Cron <root at osage> nice -n 18 run-parts /etc/cron.daily
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin>
X-Cron-Env: <MAILTOmin at nic.osagesoftware.com>
X-Cron-Env: <MAIL_USERmin at nic.osagesoftware.com>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
Message-Id: <20030328092014.9DB9114495 at osage.osagesoftware.com>
Date: Fri, 28 Mar 2003 04:20:14 -0500 (EST)
/etc/cron.daily/logcheck: line 3: /usr/bin/logcheck.sh: No such file or directory
/etc/cron.daily/logcheck: line 3: exec: /usr/bin/logcheck.sh: cannot execute: No such file or directory
run-parts: /etc/cron.daily/logcheck exited with return code 126
bzcat: Can't open input file ./newaliases.1.bz2: No such file or directory.
bzcat: Can't open input file ./mailq.1.bz2: No such file or directory.
bzcat: Can't open input file ./aliases.5.bz2: No such file or directory.
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/osage.osagesoftware.com-20030328-040640.twr
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by: root
Report created on: Fri Mar 28 04:06:40 2003
Database last updated on: Never
=======================================Report Summary:
=======================================
Host name: osage.osagesoftware.com
Host IP address: 192.168.1.10
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/osage.osagesoftware.com.twd
Command line used: /usr/sbin/tripwire --check
=======================================Rule Summary:
=======================================
Section: Unix File System
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Critical devices 100 0 0 0
* User binaries 66 13 0 5
Tripwire Binaries 100 0 0 0
* Libraries 66 0 0 13
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Critical system boot files 100 0 0 0
* Critical configuration files 100 17 14 31
* System boot changes 100 2 7 23
OS executables and libraries 100 0 0 0
* Security Control 100 1 0 5
Login Scripts 100 0 0 0
Operating System Utilities 100 0 0 0
Shell Binaries 100 0 0 0
* Root config files 100 4 1 4
Total objects scanned: 12946
Total violations found: 140
=======================================Object Summary:
=======================================
# Section: Unix File System
Rule Name: Libraries (/usr/lib)
Severity Level: 66
Modified:
"/usr/lib"
"/usr/lib/libefence.so.0"
"/usr/lib/libefence.so.0.0"
Rule Name: User binaries (/usr/bin)
Severity Level: 66
Added:
"/usr/bin/db_dump"
"/usr/bin/db_printlog"
"/usr/bin/db_load"
"/usr/bin/berkeley_db_svc"
"/usr/bin/db_archive"
"/usr/bin/db_checkpoint"
"/usr/bin/db_deadlock"
"/usr/bin/db_dump185"
"/usr/bin/db_recover"
"/usr/bin/db_stat"
"/usr/bin/db_upgrade"
"/usr/bin/db_verify"
Modified:
"/usr/bin"
Rule Name: Libraries (/usr/local/lib)
Severity Level: 66
Modified:
"/usr/local/lib/valgrind"
"/usr/local/lib/valgrind/default.supp"
"/usr/local/lib/valgrind/glibc-2.1.supp"
"/usr/local/lib/valgrind/glibc-2.2.supp"
"/usr/local/lib/valgrind/libpthread.so"
"/usr/local/lib/valgrind/libpthread.so.0"
"/usr/local/lib/valgrind/valgrind.so"
"/usr/local/lib/valgrind/valgrinq.so"
"/usr/local/lib/valgrind/xfree-3.supp"
"/usr/local/lib/valgrind/xfree-4.supp"
Rule Name: User binaries (/usr/local/bin)
Severity Level: 66
Added:
"/usr/local/bin/jwhois"
Modified:
"/usr/local/bin"
"/usr/local/bin/cachegrind"
"/usr/local/bin/valgrind"
"/usr/local/bin/vg_annotate"
Rule Name: System boot changes (/var/log)
Severity Level: 100
Added:
"/var/log/security/rpm-va.today.tmp"
Removed:
"/var/log/security/chkrootkit.today"
"/var/log/security/rpm-va-config.today"
"/var/log/security/rpm-va.today"
"/var/log/httpd/ssl_scache.sem"
"/var/log/#dmesg#"
"/var/log/.#dmesg"
Modified:
"/var/log/security/chkrootkit.yesterday"
"/var/log/security/open_port.today"
"/var/log/security/open_port.yesterday"
"/var/log/security/rpm-qa.today"
"/var/log/security/rpm-qa.yesterday"
"/var/log/security/rpm-va-config.yesterday"
"/var/log/security/rpm-va.yesterday"
"/var/log/security/sgid.today"
"/var/log/security/sgid.yesterday"
"/var/log/security/suid_md5.today"
"/var/log/security/suid_md5.yesterday"
"/var/log/security/suid_root.today"
"/var/log/security/suid_root.yesterday"
"/var/log/security/unowned_group.today"
"/var/log/security/unowned_group.yesterday"
"/var/log/security/unowned_user.today"
"/var/log/security/unowned_user.yesterday"
"/var/log/security/writable.today"
"/var/log/security/writable.yesterday"
Rule Name: System boot changes (/var/lock/subsys)
Severity Level: 100
Removed:
"/var/lock/subsys/ntpd"
Modified:
"/var/lock/subsys/httpd"
"/var/lock/subsys/postfix"
Rule Name: System boot changes (/var/run)
Severity Level: 100
Added:
"/var/run/msec-security.pid"
Modified:
"/var/run/httpd-perl.pid"
"/var/run/httpd.pid"
Rule Name: Critical configuration files (/etc/sysconfig)
Severity Level: 100
Added:
"/etc/sysconfig/network-scripts/CVS"
"/etc/sysconfig/network-scripts/CVS/Root"
"/etc/sysconfig/network-scripts/CVS/Repository"
"/etc/sysconfig/network-scripts/CVS/Entries"
"/etc/sysconfig/CVS"
"/etc/sysconfig/CVS/Root"
"/etc/sysconfig/CVS/Repository"
"/etc/sysconfig/CVS/Entries"
Removed:
"/etc/sysconfig/network-scripts/drakconnect_conf.default"
Modified:
"/etc/sysconfig"
"/etc/sysconfig/network"
"/etc/sysconfig/network-scripts"
"/etc/sysconfig/network-scripts/drakconnect_conf"
"/etc/sysconfig/network-scripts/net_resolv.default"
Rule Name: Security Control (/etc/security)
Severity Level: 100
Added:
"/etc/security/msec/level.local~"
Modified:
"/etc/security/msec"
"/etc/security/msec/CVS"
"/etc/security/msec/CVS/Entries"
"/etc/security/msec/level.local"
"/etc/security/msec/security.conf"
Rule Name: Critical configuration files (/etc/crontab)
Severity Level: 100
Modified:
"/etc/crontab"
Rule Name: Critical configuration files (/etc/httpd/conf)
Severity Level: 100
Added:
"/etc/httpd/conf/ssl/server.crt.dummy"
"/etc/httpd/conf/ssl/server.key.dummy"
"/etc/httpd/conf/httpd-perl.conf.0509.1248"
"/etc/httpd/conf/httpd-perl.conf~"
"/etc/httpd/conf/nic.httpd.conf"
"/etc/httpd/conf/commonhttpd.conf~"
Removed:
"/etc/httpd/conf/bak"
"/etc/httpd/conf/bak/httpd-perl.conf-20030320-12.00.31"
"/etc/httpd/conf/bak/httpd-perl.conf-20030320-12.00.33"
"/etc/httpd/conf/bak/httpd-perl.conf-20030320-18.14.13"
"/etc/httpd/conf/bak/httpd.conf-20030320-12.00.31"
"/etc/httpd/conf/bak/httpd.conf-20030320-12.00.33"
"/etc/httpd/conf/bak/httpd.conf-20030320-18.14.13"
"/etc/httpd/conf/bak/mod_ssl.conf-20030320-18.14.13"
"/etc/httpd/conf/bak/ssl.default-vhost.conf-20030320-18.14.13"
"/etc/httpd/conf/mailman.conf"
Modified:
"/etc/httpd/conf"
"/etc/httpd/conf/addon-modules"
"/etc/httpd/conf/addon-modules/php.conf"
"/etc/httpd/conf/addon-modules/proxied_handlers.pl"
"/etc/httpd/conf/apache-mime.types"
"/etc/httpd/conf/commonhttpd.conf"
"/etc/httpd/conf/httpd-perl.conf"
"/etc/httpd/conf/httpd.conf"
"/etc/httpd/conf/magic"
"/etc/httpd/conf/magic.default"
"/etc/httpd/conf/ssl"
"/etc/httpd/conf/ssl/mod_ssl.conf"
"/etc/httpd/conf/ssl/ssl.default-vhost.conf"
"/etc/httpd/conf/vhosts"
"/etc/httpd/conf/vhosts/DynamicVhosts.conf"
"/etc/httpd/conf/vhosts/Vhosts.conf"
"/etc/httpd/conf/vhosts/VirtualHomePages.conf"
Rule Name: Critical configuration files (/etc/rc.d)
Severity Level: 100
Added:
"/etc/rc.d/rc3.d/K10ntpd"
"/etc/rc.d/rc4.d/K10ntpd"
"/etc/rc.d/rc5.d/K10ntpd"
Removed:
"/etc/rc.d/rc3.d/S55ntpd"
"/etc/rc.d/rc4.d/S55ntpd"
"/etc/rc.d/rc5.d/S55ntpd"
Modified:
"/etc/rc.d/CVS"
"/etc/rc.d/CVS/Entries"
"/etc/rc.d/rc.modules"
"/etc/rc.d/rc3.d"
"/etc/rc.d/rc4.d"
"/etc/rc.d/rc5.d"
Rule Name: Critical configuration files (/etc/modules.conf)
Severity Level: 100
Modified:
"/etc/modules.conf"
Rule Name: Critical configuration files (/etc/hosts)
Severity Level: 100
Modified:
"/etc/hosts"
Rule Name: Root config files (/root)
Severity Level: 100
Added:
"/root/bin/mfd"
"/root/bin/ufd"
"/root/bin/mfd~"
"/root/.emacs-places~"
Removed:
"/root/.xauthk0xkxc"
Modified:
"/root"
"/root/.emacs-places"
"/root/bin"
Rule Name: Root config files (/root/.gnome)
Severity Level: 100
Modified:
"/root/.gnome/gtkdiff"
=======================================Error Report:
=======================================
No Errors
*** End of report ***
Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
run-parts: /etc/cron.daily/tripwire-check exited with return code 7
--6A73727ECB.1048843229/osagesoftware.com--
More information about the Bogofilter
mailing list