Mail traffic is at an all time maximum here with the Swen/Gibe.F Microsoft mail worm. As the messages are 150 KB in size, a spamfilter solution as the SpamAssassin - Procmail combination isn't optimal as all mail is still being downloaded to my workstation. So I decided to fight the spam the place where it should be, and installed MailFilter, a nifty mail filtering program which even works for POP3 mailboxes.
- Log in to post comments
If you use procmail, you can
If you use procmail, you can install clamav to catch these suckers. If you already have SpamAssassin installed and don't want to bother with installing another piece of software, you can add these rules:
header _VIRUS_h0_SWEN_A SUBJECT =~ m{(Current|Newest|New|Last|Latest)? ?(Internet|Network|Net|Microsoft)? ?(Security|Critical)? ?(Patch|Upgrade|Pack|Update)}i
header _VIRUS_h2_SWEN_A From =~ m{(Microsoft|MS)? ?(Internet|Corporation)? ?(Technical|Security|Customer|Public)? ?(Assistance|Services|Center|Bulletin|Division|Section)}i
rawbody _VIRUS_b4_SWEN_A m{Undeliver(able|ed) (mail|message)? ?to}i
meta VIRUS_m_SWEN_A ((_VIRUS_h0_SWEN_A && ( MICROSOFT_EXECUTABLE || MIME_SUSPECT_NAME ) && _VIRUS_h2_SWEN_A) || (_VIRUS_b4_SWEN_A && ( MICROSOFT_EXECUTABLE || MIME_SUSPECT_NAME )))
describe VIRUS_m_SWEN_A http://www.trendmicro.com/vinf...o/default5.asp?VName=WORM_SWEN.A
score VIRUS_m_SWEN_A 10.0
Mailfilter is great indeed;
In reply to If you use procmail, you can by Anonymous
Mailfilter is great indeed; I use the following ruleset (3 lines, begin with DENY - to correct the browser layout mangling) :
REG_TYPE=extended
DENY=^Subject:.*(Current|Newest|New|Last|Latest)? ?(Internet|Network|Net|Microsoft)* *(Security|\r\nCritical)* *(Patch|Upgrade|Pack|Update)
DENY=^From:.*(Microsoft|MS)? ?(Internet|Corporation)* *(Program Security|Technical|Security|Cust\r\nomer|Public)* *(Support|Assistance|Services|Center|Bulletin|Division|Section).*
These 3 lines catch almost 90% of these suckers...