Thread: SWEN Worm Filters That Work
View Single Post
  #6   Report Post  
Old September 23rd 03, 10:16 PM
 
Posts: n/a
Default
In article ,
David Stinson wrote:
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

*IF* you can filter on message _body_ content, the following couple of
rules catch practically *every* email-carried virus:

rule 1: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'TVq'.
(this will catch *any* base64-encoded MS executable, so it could
be a problem if people _legitimately_ send you .EXE files as
attachments.)
rule 2: the character string "iframe", with the string "cid:" occuring
'somewhat' later. EVERY occurance of this form of exploit attempt
has had the 'iframe', and 'cid:' on the same line, but they don't
_have_ to be. (this one even catches the stupid 'bounce' messages
that result from the virus having forged _your_ address as the
sender, but where the 'executable content' [that woould trigger
rule 1] has been stripped out by the recipient's virus-filter
software.

I also use a 3rd rule, specifically targetted at the fake "MS security update"
emails -- it's similar to rule 1:

rule 3: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'R0l'.
(that's a capital R, the digit -zero-, and a lower-case L)
This one may be too agressive for many people. it'll trigger on
*any* .GIF file attachment.


The *ideal* tool for doing this kind of filtering is a utility known as
'procmail', installed *on* the mail-server. It processes mail _as_it_arrives_,
*before* delivery to your mailbox. Using the above rules, with a 'throw the
message away' action when triggered, your inbox doesn't fill with clutter,
nor require 'frequent' draining.

I have the luxury of running my own mailserver (on a Unix box), _with_ procmail
installed. It's dumped over *three*hundred*megabytes* of these mails within
the last 20 hours. That's 2000+ messages. _Six_ messages, that had had the
'executable content' removed, managed to get through to my inbox.
Reply With QuoteReply With Quote