dealing with email from "Mydoom" worm

[Boris 'pi' Piwinger]

Stefan Bellon <sbellon at sbellon.de> wrote:

>> But something feels wrong about using bogofilter to process
>> worm-generated email as akin to spam.  I'm concerned that the "Mydoom"
>> triggered messages are a bit too close to real non-spam messages for
>> comfort.  (On the other hand, I get so many bounce messages as a
>> result of spammer's forging "from" headers with my domain names, that
>> I'm mostly ignoring such messages anyway.)

Well, messages recognized by the virus scanner are filter
before bogofilter, then ...

>I already posted an ~/.procmailrc filter for the last worm that spread
>around. For this one, I found the following recipe:
>
>:0
>* > 30000
>* < 34000
>{
>:0 BD
>*
>^aUgARAc4MDRN03QDKCQcGBDTLLvXCCMD\+Cnw6E3TNE3g2NDIvLQ0TdM0rKSclIzONk3TiHxwaClv$
>/dev/null
>}
>
>The line after ":0 BD" and before "/dev/null" is actually one single
>line.

Well, I don't want to change it all the time a new virus
comes around. So I use this:

:0:
* ^Content-Type:.*multipart/
* 1^1 B ?? ^Content-Type:.*application/x-msdownload
* 1^1 B ?? ^Content-Type:.*name=.*\.(exe|scr|pif|com|bat)
* 1^1 B ?? ^[   ]+(file)?name=.*\.(exe|scr|pif|com|bat)
* -1^1 B ?? ^[  ]+(file)?name=3D.*\.(exe|scr|pif|com|bat)
/tmp/.3.14-virus-v-`date +%Y%m%d`
:0:
* 1^0 ^Content-Type:.*application/x-msdownload
* 1^0 ^Content-Type:.*name=.*\.(exe|scr|pif|com|bat)
/tmp/.3.14-virus-v-`date +%Y%m%d`


It works very well. OK, there is one of those zip things
which came through today, but that is not too bad.

Anyhow, all the "disabled" viruses and bounces to viruses
are taken care of by bogofilter. That really saves a lot.

pi