[ale] Flood of virii
Byron A Jeff
byron at cc.gatech.edu
Fri Sep 19 10:05:09 EDT 2003
>
> I've gotten well over a hundered in the last 24 hours. Anybody developed a
> good procmail rule for detecting these?
Well mine seems to be doing a pretty good job. I worked on it during the SoBig
attack after I received over 300 message in a 2 hour period. It has killed
5879
messages in less than a 30 day period. Until today I had been saving the .exe
files. But the save file had gotten up to 44 MB so as of today I am killing
them too. I've also noticed that there is a new spate of .bat and .com files
along with the .scr, .pif, .exe, and .zip (which I still save on the off chance
that something real actually comes along). Here it is (with whitelisted E-mail
addresses deleted):
----------------------------------
:0B:
* ^.*name=.*exe
| $HOME/bin/spamcount
:0B:
* ^.*name=.*pif
| $HOME/bin/spamcount
:0B:
* ^.*name=.*scr
| $HOME/bin/spamcount
:0B:
* ^.*name=.*zip
| $HOME/bin/spamcount
:0B:
* ^.*name=.*bat
| $HOME/bin/spamcount
:0B:
* ^.*name=.*com
| $HOME/bin/spamcount
:0B:
* ^.*name=.*pif
/dev/null
:0B:
* ^.*name=.*scr
/dev/null
:0B:
* ^.*name=.*exe
/dev/null
:0B:
* ^.*name=.*bat
/dev/null
:0B:
* ^.*name=.*com
/dev/null
:0B:
* ^.*name=.*zip
Mail/SPAM.ZIP
:0B:
:0:
Mail/SPAM
------------------------------
And here's my spamcount script:
---------------------------------
#!/usr/local/bin/bash
SC=~/.spamcount
if [ -r $SC ] ; then
count=$(cat $SC)
else
count=0
fi
echo $[count+1] > $SC
---------------------------------
My normal spam box (last rule above) is much cleaner now. Pretty much Nigerian
scams and genitailia enlargement now ;-)
I think I'll add a cron entry so I can get a 24 hour count on the virii that
come through each day.
BAJ
More information about the Ale
mailing list