SWEN virus.

On Mon, 10 Nov 2003 17:33:19 -0500, General Schvantzkoph wrote:

> On Mon, 10 Nov 2003 12:52:40 -0600, Shashank Khanvilkar wrote:
>
>> Hi,
>>
>> I am receiving these annoying mails containing swen virus. My PC is not
>> infected with it, and I don't even know where it is coming from.. I
>> could setup filters but i was more concerned about the BW that it eats
>> up, when i download my mails from the server on a dial-up connection.
>>
>> Is there any way in which i can configure my SMTP server to stop
>> receiving mails that contain this virus. How do i attack this
>> problem.??
>
> I set up a cron job that runs mailfilter 10 times an hour. I configured
> mailfilter to delete any e-mail from a stranger that has an attachment
> greater than 50K. While I was at it I added a bunch of subject filters
> that deletes the bounces caused by SvenA plus the usual viagra, penis,
> vicodin stuff plus anything that uses an Asian character set. Mailfilter
> allows you to set up a white list of known e-mail addresses that are
> permitted to send you attachments so you don't have to worry about
> killing e-mails from friends or colleagues.

Hello General, thanks for the interesting post. Could I convince you to
post your clever mailfilter scripting so as to preclude me reinventing the
wheel, so to speak?

And speaking about Schvantzes, did you hear the one about the butcher at
the corner meatmarket who backed into the sausage machine and got a little
behind in his work?

TIA

> Those DNSBL's will prevent the mail from even being accepted by your
> mail server. You (or your ISP) should also add processing after the
> mail enters your server. Software as simple as renattach can block
> your worms by filtering or dropping messages based on attachment
> filename
>
> http://www.pc-tools.net/unix/renattach/
>
> (1.2.0rc2 will be released today)

Now released. Anyway, in your renattach.conf enter:
badlist = BAT, COM, EXE, PIF, SCR

(or use the much more complete defaults), then in .procmailrc

:0 wf
| /path/to/renattach --badlist --kill

That's it, you'll never see swen. Use a more complete badlist, and you'll
catch other viruses too.

--
Jem Berkes
http://www.sysdesign.ca/

On Tue, 11 Nov 2003 21:01:46 GMT, Thorg Thorgussonne <thorg@thorg.org> wrote:
>On Mon, 10 Nov 2003 17:33:19 -0500, General Schvantzkoph wrote:
>
>> On Mon, 10 Nov 2003 12:52:40 -0600, Shashank Khanvilkar wrote:
>>

>> I set up a cron job that runs mailfilter 10 times an hour. I configured
>> mailfilter to delete any e-mail from a stranger that has an attachment
>> greater than 50K. While I was at it I added a bunch of subject filters
>> that deletes the bounces caused by SvenA plus the usual viagra, penis,
>> vicodin stuff plus anything that uses an Asian character set. Mailfilter
>> allows you to set up a white list of known e-mail addresses that are
>> permitted to send you attachments so you don't have to worry about
>> killing e-mails from friends or colleagues.
>
>Hello General, thanks for the interesting post. Could I convince you to
>post your clever mailfilter scripting so as to preclude me reinventing the

The mailfilter is a built program for which you can find the source code by
doing a search on www.sourceforge.org.

....Edwin

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Edwin Johnson ....... elj@shreve.net ~
~ http://www.shreve.net/~elj ~
~ ~
~ "Once you have flown, you will walk the ~
~ earth with your eyes turned skyward, ~
~ for there you have been, there you long ~
~ to return." -- da Vinci ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Wed, 12 Nov 2003 14:09:01 +0000, Edwin Johnson wrote:

> On Tue, 11 Nov 2003 21:01:46 GMT, Thorg Thorgussonne <thorg@thorg.org> wrote:
>>On Mon, 10 Nov 2003 17:33:19 -0500, General Schvantzkoph wrote:
>>
>>> On Mon, 10 Nov 2003 12:52:40 -0600, Shashank Khanvilkar wrote:
>>>
>
>>> I set up a cron job that runs mailfilter 10 times an hour. I configured
>>> mailfilter to delete any e-mail from a stranger that has an attachment
>>> greater than 50K. While I was at it I added a bunch of subject filters
>>> that deletes the bounces caused by SvenA plus the usual viagra, penis,
>>> vicodin stuff plus anything that uses an Asian character set. Mailfilter
>>> allows you to set up a white list of known e-mail addresses that are
>>> permitted to send you attachments so you don't have to worry about
>>> killing e-mails from friends or colleagues.
>>
>>Hello General, thanks for the interesting post. Could I convince you to
>>post your clever mailfilter scripting so as to preclude me reinventing the
>
> The mailfilter is a built program for which you can find the source code by
> doing a search on www.sourceforge.org.
>
> ...Edwin

Here is the link.
http://mailfilter.sourceforge.net

It comes with a sample config file. The thing that you
need to do is to set the MAXSIZE_DENY variable to some value less than
146K (the size of the SvenA virus attachment), I used 50000

MAXSIZE_DENY = 50000

The other thing that you need to do is go through your address book and
put all of your known email addresses into its allow list, for example

ALLOW = ^From:.*@my_friends.com

This will exempt your friends and colleagues from file size limit.

BTW if you are using Evolution then the way to export your contact list is
to print it to a PDF file and then do a select all in Acrobat and copy it
into an Emacs buffer where you can use an Emacs macro to convert it to
list that mailfilter can use. As far as I know there is no direct way to
export the contact list from Evolution.