[unisog] procmail rule: sobig.f

Mike Carter Mike.Carter at Colorado.EDU
Thu Aug 21 23:44:47 GMT 2003

I would be careful using $#error on this.  Since sobig forges return addresses
this is likely to return things to the wrong people or dump them on
unsuspecting postmasters.  I tested a similar rule last night for 8
hours on a key server and dumped 20K messages on one of my fellow 
postmasters. If you are comfortable with your check, I would highly recommend 
using $#discard instead.

> I just broke down and installed this sendmail ruleset.  It's not
> perfect, in that I do know of legitimate mail from real MailScanner
> installations that will match it, but given I have only a handful of
> those examples and on the order of 80,000 Sobig.F messages (8
> *gigabytes* of infected mail traffic) handled by our existing procmail
> virus defuser in the past few days, we decided the tradeoff was worth
> it.
> HX-MailScanner: $>Check_Sobig
> SCheck_Sobig
> R Found to be clean	$#error $@ 5.5.3 $: "Rejecting probable Sobig.F message"
> R $*			$@OK


                                - Mike Carter
                                  Information Technology Services
                                  University of Colorado, Boulder

More information about the unisog mailing list