[unisog] procmail rule: sobig.f

Steve VanDevender stevev at darkwing.uoregon.edu
Fri Aug 22 17:00:26 GMT 2003

Mike Carter writes:
 > I would be careful using $#error on this.  Since sobig forges return addresses
 > this is likely to return things to the wrong people or dump them on
 > unsuspecting postmasters.  I tested a similar rule last night for 8
 > hours on a key server and dumped 20K messages on one of my fellow 
 > postmasters. If you are comfortable with your check, I would highly recommend 
 > using $#discard instead.

That will only happen if an actual MTA receives the SMTP error code.
Since in nearly all cases it's the Sobig.F SMTP engine talking directly
our mailer, and since Sobig.F does not implement full MTA-style bounce
handling, this will not generate bounces for those cases.

Also, since as I pointed out there are legitimate MailScanner
installations that insert the "X-MailScanner: Found to be clean" header,
and those _do_ operate through normal MTAs, then at least the
MailScanner users will know that their mail did not go through.

 > > I just broke down and installed this sendmail ruleset.  It's not
 > > perfect, in that I do know of legitimate mail from real MailScanner
 > > installations that will match it, but given I have only a handful of
 > > those examples and on the order of 80,000 Sobig.F messages (8
 > > *gigabytes* of infected mail traffic) handled by our existing procmail
 > > virus defuser in the past few days, we decided the tradeoff was worth
 > > it.
 > > 
 > > HX-MailScanner: $>Check_Sobig
 > > SCheck_Sobig
 > > R Found to be clean	$#error $@ 5.5.3 $: "Rejecting probable Sobig.F message"
 > > R $*			$@OK

More information about the unisog mailing list