[unisog] procmail rule: sobig.f

Steve VanDevender stevev at darkwing.uoregon.edu
Thu Aug 21 20:18:33 GMT 2003


Cam Beasley, ISO writes:
 > 
 > 	; SOBIG.F -- i'm a hungry worm, gimme tacos
 > 	:0:
 > 	* ^VDvdKcYWznRbLRPadQ+V576YUs6FwBGGrYnr7c
 >    	qYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A
 > 	/TACOSHACK/NULL
 > 
 > Rule is broken into two lines to evade AVware.
 > Apply to e-mail greater than 95 KB in size.

I just broke down and installed this sendmail ruleset.  It's not
perfect, in that I do know of legitimate mail from real MailScanner
installations that will match it, but given I have only a handful of
those examples and on the order of 80,000 Sobig.F messages (8
*gigabytes* of infected mail traffic) handled by our existing procmail
virus defuser in the past few days, we decided the tradeoff was worth
it.

HX-MailScanner: $>Check_Sobig
SCheck_Sobig
R Found to be clean	$#error $@ 5.5.3 $: "Rejecting probable Sobig.F message"
R $*			$@OK



More information about the unisog mailing list