[vox-tech] Spam _bounce_ deluge

[Ken Bloom]

--qDbXVdCdHGoSgWSk
Content-Type: text/plain; Format=Flowed; DelSp=Yes; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I use maildrop, so you'd need to do a little work to convert the rules, =20
but I won't even send a full rule, because I want to make sure the =20
message gets through.

(a) I filter out attachments based on name - .exe .scr .pif .cmd and .=20
bat all get a message filed as a virus.

(b) The three full virus names (replace the phoneticized punctuation =20
with the real punctuation) also get a message filed as a virus (because =20
I move viruses and their bounces to the same folder)

WORM*underscore*MIMAIL*dot*R
W32*slash*Mydoom*at*MM
W32*dot*Novarg*dot*A*at*mm

As a general principle, you can take advantage of the fact that a virus =20
checker will give you the full name of the virus (which will specifiy =20
which platform it runs on and which variant the virus is) while humans =20
will only pass on the species name, beause the rest of the stuff is =20
implied.

There is one checker that doesn't do this - it just says it detected =20
dangerous code. But it does tell me its name. This checker is: =20
RAV*space*AntiVirus and it also gets shunted aside as relating to a =20
virus.

(To assist this strategy, since I haven't gotten any viruses (or spam) =20
claiming to be from LUGOD yet, or from any of my other mailing lists, =20
so I filter the mailing lists first. Then I filter for viruses. Then I =20
filter for spam. Anything that's left over goes into my inbox.)

On 2004.01.28 15:54, Bill Kendrick wrote:
>=20
> Does anyone have a procmail recipe to filter bounces from the latest
> MS viruses?  My inbox is pretty clean lately, since I'm finally =20
> having
> procmail move mailing list traffic into various other boxes, so I can
> peruse them more easily.
>=20
> However, while I'm not getting much of the MyDoom virus ITSELF, I'm
> getting a lot of bounces (for non-existant addresses that someone's
> machine is mailing to, and forging my address in the From line) and
> alerts from st00pid virus scanners ("You sent a virus!") that are =20
> fooled
> by forged headers.
>=20
> I'd love to have these all drop into some junk folder for me to =20
> delete
> en-masse at the end of the day (checking for any false-positives, of =20
> course)
>=20
>=20
> Thx!
>=20
> -bill!
> bill@newbreedsoftware.com           "Hey Shatner, ya remember that =20
> episode of
> http://newbreedsoftware.com/bill/   Space Trek where your show got =20
> cancelled?"
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
>=20

--=20
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG *please* see me about=20
signing the key. ***** My computer can't give you viruses by email. ***

--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBAGFU8lHapveKyytERAgNoAJ4pJZoQy0VUozuTrn+j2H9CP2lLUQCgmwzm
sSZo/uGGXuMGhM9+8rhOiak=
=vN/g
-----END PGP SIGNATURE-----

--qDbXVdCdHGoSgWSk--