[ale] Flood of virii

[Byron A Jeff]

> 
> I've gotten well over a hundered in the last 24 hours.  Anybody developed a 
> good procmail rule for detecting these?

Well mine seems to be doing a pretty good job. I worked on it during the SoBig
attack after I received over 300 message in a 2 hour period. It has killed

5879

messages in less than a 30 day period. Until today I had been saving the .exe
files. But the save file had gotten up to 44 MB so as of today I am killing
them too. I've also noticed that there is a new spate of .bat and .com files
along with the .scr, .pif, .exe, and .zip (which I still save on the off chance
that something real actually comes along). Here it is (with whitelisted E-mail
addresses deleted):

----------------------------------
:0B:
* ^.*name=.*exe
| $HOME/bin/spamcount
:0B:
* ^.*name=.*pif
| $HOME/bin/spamcount
:0B:
* ^.*name=.*scr
| $HOME/bin/spamcount
:0B:
* ^.*name=.*zip
| $HOME/bin/spamcount
:0B:
* ^.*name=.*bat
| $HOME/bin/spamcount
:0B:
* ^.*name=.*com
| $HOME/bin/spamcount
:0B:
* ^.*name=.*pif
/dev/null
:0B:
* ^.*name=.*scr
/dev/null
:0B:
* ^.*name=.*exe
/dev/null
:0B:
* ^.*name=.*bat
/dev/null
:0B:
* ^.*name=.*com
/dev/null
:0B:
* ^.*name=.*zip
Mail/SPAM.ZIP
:0B:
:0:
Mail/SPAM
------------------------------
And here's my spamcount script:
---------------------------------
#!/usr/local/bin/bash

SC=~/.spamcount

if [ -r $SC ] ; then
   count=$(cat $SC)
else
   count=0
fi

echo $[count+1] > $SC
---------------------------------

My normal spam box (last rule above) is much cleaner now. Pretty much Nigerian
scams and genitailia enlargement now ;-)

I think I'll add a cron entry so I can get a 24 hour count on the virii that 
come through each day.

BAJ