Killing worms with Procmail
Mar 10th, 2004 by Alex
SpamAssassin - while noble in its quest to rid our email of spam - takes time and bandwidth to run all of its RBL-based checks. The more we can filter out before the message is piped to SpamAssassin, the better. The latest batch of worms seems to be as good a target as any. I’m not a Perl guru - nor would I take credit for the work of others - so I’ve included references where I’m using rules that I’ve found elsewhere. Obviously, some level of customization might have to be done based on your preferences.
Just slap any/all of these into your global procmailrc - or your local .procmailrc - and off you go.
# Catch all Windows executable attachments. Best practice would recommend/dictate # that no one should be sending these sorts of attachments to begin with. Ideal? # Reference: http://lists.samba.org/archive/linux/2004-January/009608.html # :0 B * ^Content-Type: .*/.*;$?.*NAME=.*\.(exe|com|bat|pif|scr|lnk) IN.executables # Legit email from Hotmail ALWAYS includes an X-Originating-IP line in the # header; filter on it to kill million$ of $ex $pam$! # Reference: http://www.everything2.com/index.pl?node_id=501282&lastnode_id=1349306 # :0 H: * ^(From|X-From-Line|Return-Path):.*hotmail\.com * !^X-Originating-IP: IN.fake-hotmail ## W32/MyDoom.A (aka Mimail.R, Novarg.A, Shimg, W32.Novarg.A at mm, W32/Mydoom at MM) ## Possibly also .B mutation ## All but .zip would already be picked up by the previous rule. # #:0 B #* ^Content-Type: text/plain;$?.*charset="Windows-1252"$ #* ^Content-Type: application/octet-stream;$?.*name=".*\.(bat|cmd|exe|pif|scr|zip)"$ #* #^(UEsDBAoAAAAAA......(KJx\+eAFgAAABYAA|PBsbVAlgAAAJYAA|CQHPJRl8AAEZfAA)|TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA) #IN.2004-worms ## Another recipe for MyDoom variants. ## www.oblomovka.com/entries/2004/01/29 # #:0 HB #* <50000 #* ^Subject: (test|hi|hello|Mail Delivery System|Mail Transaction Failed|Server Report|Status|Error)$ #* ^Content-type: application/octet-stream; #* (file)?name="(document|readme|doc|text|file|data|test|message|body).(pif|scr|exe|cmd|bat|zip) #IN.2004-worms
You’ll note that the last two recipes are commented, since the first recipes takes care of most - if not all - of those attachment types regardless of other content. If you have a reason to receive PIF, SCR, etc. you may want to uncomment them, although it isn’t recommended. Good luck.
