[unisog] procmail rule: sobig.f

Steve VanDevender stevev at darkwing.uoregon.edu
Thu Aug 21 20:18:33 GMT 2003

Cam Beasley, ISO writes:
 > 	; SOBIG.F -- i'm a hungry worm, gimme tacos
 > 	:0:
 > 	* ^VDvdKcYWznRbLRPadQ+V576YUs6FwBGGrYnr7c
 >    	qYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A
 > Rule is broken into two lines to evade AVware.
 > Apply to e-mail greater than 95 KB in size.

I just broke down and installed this sendmail ruleset.  It's not
perfect, in that I do know of legitimate mail from real MailScanner
installations that will match it, but given I have only a handful of
those examples and on the order of 80,000 Sobig.F messages (8
*gigabytes* of infected mail traffic) handled by our existing procmail
virus defuser in the past few days, we decided the tradeoff was worth

HX-MailScanner: $>Check_Sobig
R Found to be clean	$#error $@ 5.5.3 $: "Rejecting probable Sobig.F message"
R $*			$@OK

More information about the unisog mailing list