Procmail recipe for W32/Mydoom / Novarg / Mimail.R ?

[Jim Gillogly]

Does anyone have a good procmail recipe for this new worm?
I'm using the following:

:0 B
* ^This message contains Unicode characters and has been sent
$PMDIR/mydoom-spam
:0 B
* ^The message contains Unicode characters and has been sent
$PMDIR/mydoom-spam
:0 B
* ^The message cannot be represented in 7-bit ASCII encoding and
$PMDIR/mydoom-spam
:0 B
* ^Mail transaction failed. Partial message is available.
$PMDIR/mydoom-spam

After testing this I symlinked "mydoom-spam" to /dev/null.
It gets most of them, but not the few that don't have these strings
in them. Someone suggested filtering by size, which I guess would
be messages between about 31K and 36K, but that seems a bit
draconian. It's still pretty awful, since the 10% or so getting
through this filter still run a dozen every five minutes or so.
It also doesn't catch all the bounces from the damned spammers
having used my email address as the forged sender!

Is anyone using a more specific procmail recipe?

Thanks -
__
Jim Gillogly

 

[Tim Smith]

Does anyone have a good procmail recipe for this new worm?

I've decided there will be no legitimate stuff with a lot of base64 stuff
in it sent to the server I'm dealing with, so am now using this:

:0B
* -75^0
* 1^1 ^[a-zA-Z0-9+/][a-zA-Z0-9+/][a-zA-Z0-9+/][a-zA-Z0-9+/]...[a-zA-Z0-9+/]$
toomuch.base64

where the "..." represents 31 more instances of [a-zA-Z0-0+/]. (I wish
procmail supported {N,M} notation on regular expressions!)

 

[Malev]

Does anyone have a good procmail recipe for this new worm?
I'm using the following:

:0 B
* ^This message contains Unicode characters and has been sent
$PMDIR/mydoom-spam

Wouldn't this reject any email containing the euro character?

 

[Gabriele Neukam]

On that special day, Tim Smith, ([email protected])
said...

I've decided there will be no legitimate stuff with a lot of base64 stuff
in it sent to the server I'm dealing with,

You don't expect mails from Germany, do you? Just yesterday a regular in
de.admin.net-abuse.mail reported that he found out that a certain
combination of at least two Umlauts in the first line of the message
body will Strato have posting it all in base64.

Message-ID: <[email protected]> (in German)

Dang.


Gabriele Neukam

(e-mail address removed)

 

[Abigail M]

I put this up yesterday and it is extremely effective - it stops all
instances (but see caveat below)

:0 B
* >30000
* <38000
* UEsDBAoAAAAAA
/dev/null

The caveat is this:

The string "* UEsDBAoAAAAAA" could potentially block a legitimate zip
file - it is just too broad. However, this has not happened for me,
and the legit zip files I have received via email on my system all
seem to begin with the sequence UEsDBAQ ... rather than the viral
UEsDBAo. The limitation on size above also prevents this recipe from
blocking all files.

However, I would suggest logging and monitoring this recipe for
potential false positives.

I honestly only threw this up in a hurry yesterday after seeing my
server deluged with viral email - but so far it's working well for me.


-Abigail

 

[Jeffrey I Schiller]

In fact it will block any ZIP file whose first entry is "stored"
(i.e., not compressed).

I am currently looking at using (in addition to this):

mydoom1 = 'kPll1Ea7M64srTG4Qs9f8o'
mydoom2 = 'WXURrszriytMbhCz1/yiCG9XP6jS/b/'
mydoom3 = 'CmfHKpD5ZdRGuzOuLK0xuE'

These strings are based on the binary content of the W32.MyDoom virus.
Each represents different "shifts" in the base64 coding (note: some of
the strings are shorter because of the base64 encoding for them ends
with a near there). If a message has any of these strings, then I am
considering it a hit.

-Jeff

 

[H?lio Silva]

In fact it will block any ZIP file whose first entry is "stored"
(i.e., not compressed).

I am currently looking at using (in addition to this):

mydoom1 = 'kPll1Ea7M64srTG4Qs9f8o'
mydoom2 = 'WXURrszriytMbhCz1/yiCG9XP6jS/b/'
mydoom3 = 'CmfHKpD5ZdRGuzOuLK0xuE'

These strings are based on the binary content of the W32.MyDoom virus.
Each represents different "shifts" in the base64 coding (note: some of
the strings are shorter because of the base64 encoding for them ends
with a near there). If a message has any of these strings, then I am
considering it a hit.

-Jeff

This one is working for me

M_SUBJECT=`formail -xSubject: \
| expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`
# There is space and tab between []
# see example in timo's procmail recipes tutorial

:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 35000
* 1^0 ^Content-Transfer-Encoding: 7bit
* 10^0 kPll1Ea7M64srTG4Qs9f8o
* 10^0 WXURrszriytMbhCz1/yiCG9XP6jS/b/
* 10^0 CmfHKpD5ZdRGuzOuLK0xuE
* 1^0 ^[ ]charset=.?Windows-1252.?
#obs its a TAB character between brackets [ ]
* 1^0 M_SUBJECT ?? (^$|test|hi|hello|Mail Delivery System|Mail
Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document|file|body|jvlqhn)\.(cmd|exe|pif|bat|scr|zip).?
{
PATSCORE=$=
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}

 

[Abigail M]

In fact it will block any ZIP file whose first entry is "stored"
(i.e., not compressed).

Thanks for clarifying this, Jeff. I knew that the recipe I put up was
overkill, but given the deluge to my server it was worth the risk of a
few false positives. But I will test out a recipe based on the strings
below. I did want to narrow down the recipe I posted, but I was glad
to be able to use it on my own server to give my some time to work out
something more specific.

-Abigail