[unisog] procmail rule: sobig.f

Dennis Viner Dennis_Viner at kgi.edu
Fri Aug 22 17:00:12 GMT 2003


Just to add my 2 cents, we use MailScanner together with Sophos to filter all incoming and outgoing mail and since Sobig started we've only had a single PC infected (from a user checking a webmail account on a PC with an outdated set of signatures). We're relatively small, but the product has been great for us.

Dennis Viner 
Keck Graduate Institute 

> -----Original Message-----
> From: Timothy VanFosson [mailto:timv at ccad.uiowa.edu]
> Sent: Friday, August 22, 2003 7:42 AM
> To: unisog at sans.org
> Subject: Re: [unisog] procmail rule: sobig.f
> 
> 
> While I have a hard time faulting the logic behind this, 
> please know that
> you are also going to filter out some valid email with this 
> rule.  Those
> MailScanner users who subscribe to the MailScanner mailing 
> list are aware of
> the problem and have gotten around this by including the 
> organization name
> in the MailScanner header, which future versions will do by default.
> Others, however, who do not subscribe to the mailing list will be
> blind-sided if a significant number of people implement this 
> rule.  There
> are other ways to flag Sobig -- like filtering based on 
> common virus Subject
> headers -- that will avoid the confusion.
> 
> I also want to take a moment to emphasize that MailScanner 
> itself is not a
> vector for the virus.  The virus writer seems to be either trying to
> discredit the MailScanner product (which is very good, IMO) or take
> advantage of MailScanner users who have configured their 
> scanners not to
> rescan already scanned emails.  You can find more info on MailScanner,
> including the primary author's response to Sobig, at 
> www.mailscanner.info.
> 
> tv
> 
> 
> 
> At 05:44 PM 8/21/2003 -0600, you wrote:
> > > I just broke down and installed this sendmail ruleset.  It's not
> > > perfect, in that I do know of legitimate mail from real 
> MailScanner
> > > installations that will match it, but given I have only a 
> handful of
> > > those examples and on the order of 80,000 Sobig.F messages (8
> > > *gigabytes* of infected mail traffic) handled by our 
> existing procmail
> > > virus defuser in the past few days, we decided the 
> tradeoff was worth
> > > it.
> > >
> > > HX-MailScanner: $>Check_Sobig
> > > SCheck_Sobig
> > > R Found to be clean   $#error $@ 5.5.3 $: "Rejecting 
> probable Sobig.F 
> > message"
> > > R $*                  $@OK
> > >
> 
> --
> Timothy VanFosson, Manager         E-mail: timv at ccad.uiowa.edu
> Computing Services, Web Master    WWW: 
http://www.ccad.uiowa.edu/~timv/
Center for Computer-Aided Design   US Mail: The University of Iowa
Phone: (319) 335-6298                      208 ERF
FAX: (319) 384-0542                        Iowa City, Iowa 52242

What good is it for a man to gain the whole world, yet forfeit
his soul? Or what can a man give in exchange for his soul?



More information about the unisog mailing list