Sieve script to filter today's MS annoyances

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Sep 19 11:49:14 PDT 2003 

On Fri, Sep 19, 2003 at 07:29:13PM +0200, Oliver Fromme wrote:
> Kirk Strauser <kirk at strauser.com> wrote:
>  > I don't know what's going on, but I've been getting literally hundreds of
>  > virus/worm-looking emails per hour all day today.  I grew tired of it and
>  > wrote the following Sieve script to filter my mail on the server.
>  > 
>  > The pseudo-bounce messages were particularly annoying; they're close enough
>  > to the real bounce messages that I *want* to keep that they justified a
>  > little closer examination.  I'll probably tighten the other message type to
>  > also examine the sender, but I doubt I'll be getting any legitimate mails
>  > that look like:
>  > 
>  >     Subject: latest security patch
>  > 
>  > in the near future.  Anyway, enjoy as you see fit.
> 
> I got lots of those, too.  From looking at the headers,
> there didn't seem to be very reliable things to identify
> that crap, so i decided to filter by body.
> 
> The following is an excerpt from my ~/.mailfilter (I'm
> using /usr/ports/mail/maildrop):
> 
> 
> if (/^"September 2003, Cumulative Patch" update which /:b || \
>     /^Content-Type: audio\/x-(wav|midi); name="[a-z]*\.(exe|com|bat|scr)")/:b)
> {
> 	to "$HOME/Mail/fake-ms-crap"
> }
> 

The string:

AJBAPACQQDkAkEA3AJBANACQQDEAkEAvAJBALACQQCoAkEApAJBAJwCQQCUAkEAjAJBAIQCQQB8

seems to appear in all instances of the W32/Gibe worm.  However, I
find feeding the worm emails into the Bayes classifier gives me a
certain vicarious satisfaction...  That and tweaking the SpamAssassin
rules so that MICROSOFT_EXECUTABLE scores 4.0 points means that most
of them are scoring high enough to bounce now.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030919/aca61ab6/attachment.bin

More information about the freebsd-stable mailing list