Procmail recipe for W32/Mydoom / Novarg / Mimail.R ?

  • Thread starter Thread starter Jim Gillogly
  • Start date Start date
J

Jim Gillogly

Does anyone have a good procmail recipe for this new worm?
I'm using the following:

:0 B
* ^This message contains Unicode characters and has been sent
$PMDIR/mydoom-spam
:0 B
* ^The message contains Unicode characters and has been sent
$PMDIR/mydoom-spam
:0 B
* ^The message cannot be represented in 7-bit ASCII encoding and
$PMDIR/mydoom-spam
:0 B
* ^Mail transaction failed. Partial message is available.
$PMDIR/mydoom-spam

After testing this I symlinked "mydoom-spam" to /dev/null.
It gets most of them, but not the few that don't have these strings
in them. Someone suggested filtering by size, which I guess would
be messages between about 31K and 36K, but that seems a bit
draconian. It's still pretty awful, since the 10% or so getting
through this filter still run a dozen every five minutes or so.
It also doesn't catch all the bounces from the damned spammers
having used my email address as the forged sender!

Is anyone using a more specific procmail recipe?

Thanks -
__
Jim Gillogly
 
Does anyone have a good procmail recipe for this new worm?
Click to expand...

I've decided there will be no legitimate stuff with a lot of base64 stuff
in it sent to the server I'm dealing with, so am now using this:

:0B
* -75^0
* 1^1 ^[a-zA-Z0-9+/][a-zA-Z0-9+/][a-zA-Z0-9+/][a-zA-Z0-9+/]...[a-zA-Z0-9+/]$
toomuch.base64

where the "..." represents 31 more instances of [a-zA-Z0-0+/]. (I wish
procmail supported {N,M} notation on regular expressions!)
 
Does anyone have a good procmail recipe for this new worm?
I'm using the following:

:0 B
* ^This message contains Unicode characters and has been sent
$PMDIR/mydoom-spam
Click to expand...

Wouldn't this reject any email containing the euro character?
 
On that special day, Tim Smith, ([email protected])
said...
I've decided there will be no legitimate stuff with a lot of base64 stuff
in it sent to the server I'm dealing with,
Click to expand...

You don't expect mails from Germany, do you? Just yesterday a regular in
de.admin.net-abuse.mail reported that he found out that a certain
combination of at least two Umlauts in the first line of the message
body will Strato have posting it all in base64.

Message-ID: <[email protected]> (in German)

Dang.


Gabriele Neukam

(e-mail address removed)
 
I put this up yesterday and it is extremely effective - it stops all
instances (but see caveat below)

:0 B
* >30000
* <38000
* UEsDBAoAAAAAA
/dev/null

The caveat is this:

The string "* UEsDBAoAAAAAA" could potentially block a legitimate zip
file - it is just too broad. However, this has not happened for me,
and the legit zip files I have received via email on my system all
seem to begin with the sequence UEsDBAQ ... rather than the viral
UEsDBAo. The limitation on size above also prevents this recipe from
blocking all files.

However, I would suggest logging and monitoring this recipe for
potential false positives.

I honestly only threw this up in a hurry yesterday after seeing my
server deluged with viral email - but so far it's working well for me.


-Abigail
 
In fact it will block any ZIP file whose first entry is "stored"
(i.e., not compressed).

I am currently looking at using (in addition to this):

mydoom1 = 'kPll1Ea7M64srTG4Qs9f8o'
mydoom2 = 'WXURrszriytMbhCz1/yiCG9XP6jS/b/'
mydoom3 = 'CmfHKpD5ZdRGuzOuLK0xuE'

These strings are based on the binary content of the W32.MyDoom virus.
Each represents different "shifts" in the base64 coding (note: some of
the strings are shorter because of the base64 encoding for them ends
with a near there). If a message has any of these strings, then I am
considering it a hit.

-Jeff
 
In fact it will block any ZIP file whose first entry is "stored"
(i.e., not compressed).

I am currently looking at using (in addition to this):

mydoom1 = 'kPll1Ea7M64srTG4Qs9f8o'
mydoom2 = 'WXURrszriytMbhCz1/yiCG9XP6jS/b/'
mydoom3 = 'CmfHKpD5ZdRGuzOuLK0xuE'

These strings are based on the binary content of the W32.MyDoom virus.
Each represents different "shifts" in the base64 coding (note: some of
the strings are shorter because of the base64 encoding for them ends
with a near there). If a message has any of these strings, then I am
considering it a hit.

-Jeff
Click to expand...

This one is working for me

M_SUBJECT=`formail -xSubject: \
| expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`
# There is space and tab between []
# see example in timo's procmail recipes tutorial

:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 35000
* 1^0 ^Content-Transfer-Encoding: 7bit
* 10^0 kPll1Ea7M64srTG4Qs9f8o
* 10^0 WXURrszriytMbhCz1/yiCG9XP6jS/b/
* 10^0 CmfHKpD5ZdRGuzOuLK0xuE
* 1^0 ^[ ]charset=.?Windows-1252.?
#obs its a TAB character between brackets [ ]
* 1^0 M_SUBJECT ?? (^$|test|hi|hello|Mail Delivery System|Mail
Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document|file|body|jvlqhn)\.(cmd|exe|pif|bat|scr|zip).?
{
PATSCORE=$=
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}
 
In fact it will block any ZIP file whose first entry is "stored"
(i.e., not compressed).
Click to expand...

Thanks for clarifying this, Jeff. I knew that the recipe I put up was
overkill, but given the deluge to my server it was worth the risk of a
few false positives. But I will test out a recipe based on the strings
below. I did want to narrow down the recipe I posted, but I was glad
to be able to use it on my own server to give my some time to work out
something more specific.

-Abigail
 
Back
Top