[unisog] procmail rule: sobig.f

Timothy VanFosson timv at ccad.uiowa.edu
Fri Aug 22 14:41:51 GMT 2003

While I have a hard time faulting the logic behind this, please know that
you are also going to filter out some valid email with this rule.  Those
MailScanner users who subscribe to the MailScanner mailing list are aware of
the problem and have gotten around this by including the organization name
in the MailScanner header, which future versions will do by default.
Others, however, who do not subscribe to the mailing list will be
blind-sided if a significant number of people implement this rule.  There
are other ways to flag Sobig -- like filtering based on common virus Subject
headers -- that will avoid the confusion.

I also want to take a moment to emphasize that MailScanner itself is not a
vector for the virus.  The virus writer seems to be either trying to
discredit the MailScanner product (which is very good, IMO) or take
advantage of MailScanner users who have configured their scanners not to
rescan already scanned emails.  You can find more info on MailScanner,
including the primary author's response to Sobig, at www.mailscanner.info.


At 05:44 PM 8/21/2003 -0600, you wrote:
> > I just broke down and installed this sendmail ruleset.  It's not
> > perfect, in that I do know of legitimate mail from real MailScanner
> > installations that will match it, but given I have only a handful of
> > those examples and on the order of 80,000 Sobig.F messages (8
> > *gigabytes* of infected mail traffic) handled by our existing procmail
> > virus defuser in the past few days, we decided the tradeoff was worth
> > it.
> >
> > HX-MailScanner: $>Check_Sobig
> > SCheck_Sobig
> > R Found to be clean   $#error $@ 5.5.3 $: "Rejecting probable Sobig.F 
> message"
> > R $*                  $@OK
> >

Timothy VanFosson, Manager         E-mail: timv at ccad.uiowa.edu
Computing Services, Web Master    WWW: http://www.ccad.uiowa.edu/~timv/
Center for Computer-Aided Design   US Mail: The University of Iowa
Phone: (319) 335-6298                      208 ERF
FAX: (319) 384-0542                        Iowa City, Iowa 52242

What good is it for a man to gain the whole world, yet forfeit
his soul? Or what can a man give in exchange for his soul?

More information about the unisog mailing list