[unisog] procmail rule: sobig.f
stevev at darkwing.uoregon.edu
Thu Aug 21 20:18:33 GMT 2003
Cam Beasley, ISO writes:
> ; SOBIG.F -- i'm a hungry worm, gimme tacos
> * ^VDvdKcYWznRbLRPadQ+V576YUs6FwBGGrYnr7c
> Rule is broken into two lines to evade AVware.
> Apply to e-mail greater than 95 KB in size.
I just broke down and installed this sendmail ruleset. It's not
perfect, in that I do know of legitimate mail from real MailScanner
installations that will match it, but given I have only a handful of
those examples and on the order of 80,000 Sobig.F messages (8
*gigabytes* of infected mail traffic) handled by our existing procmail
virus defuser in the past few days, we decided the tradeoff was worth
R Found to be clean $#error $@ 5.5.3 $: "Rejecting probable Sobig.F message"
R $* $@OK
More information about the unisog