"Fossies" - the Fresh Open Source Software Archive 
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1
2 # Recommended local sanitizer rules
3 # $Id: local-rules.procmail,v 1.13 2004-02-16 18:51:59-08 jhardin Exp jhardin $
4
5 # Detect Hybris when sent as an anonymous message.
6 #
7 :0
8 * > 20000
9 * !^Subject:
10 * !^To:
11 * ^Content-Type:.*multipart/mixed;
12 {
13 :0 B hfi
14 * 1^1 ^Content-Disposition:.*\.EXE
15 * 1^1 ^Content-Type:.*\.EXE
16 | formail -A "X-Content-Security: [${HOST}] NOTIFY" \
17 -A "X-Content-Security: [${HOST}] QUARANTINE" \
18 -A "X-Content-Security: [${HOST}] REPORT: Trapped anonymous executable"
19 }
20
21 # Trap SirCam (signature as of 08/01/2001)
22 #
23 :0
24 * > 130000
25 * ^Content-Type:.*multipart/mixed;
26 {
27 :0 B hfi
28 * ^Content-Disposition: attachment;
29 * ^Content-Transfer-Encoding: base64
30 * AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
31 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
32 -A "X-Content-Security: [$HOST] DISCARD" \
33 -A "X-Content-Security: [$HOST] REPORT: Trapped SirCam worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html"
34 }
35
36 # Trap BadTrans (signature as of 11/26/2001)
37 #
38 :0
39 * > 40000
40 * < 50000
41 * ^Subject: Re:
42 * ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
43 {
44 :0 B hfi
45 * ^Content-Type: audio/x-wav;
46 * ^Content-ID: <EA4DMGBP9p>
47 * ^Content-Transfer-Encoding: base64
48 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
49 -A "X-Content-Security: [$HOST] DISCARD" \
50 -A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html"
51 }
52
53
54 # Trap Klez (signature as of 04/26/2002)
55 # Trap BugBear (signature as of 10/06/2002)
56 #
57 :0
58 * > 50000
59 * ^Content-Type:.*multipart/alternative;
60 {
61 :0 B
62 * \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
63 * ^Content-Type:.*audio/
64 * ^Content-ID:.*<
65 * ^Content-Transfer-Encoding: base64
66 * ^TVqQAAMAAAAEAAAA
67 {
68 :0 hfi
69 * > 100000
70 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
71 -A "X-Content-Security: [$HOST] DISCARD" \
72 -A "X-Content-Security: [$HOST] REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html"
73
74 :0 E hfi
75 * > 50000
76 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
77 -A "X-Content-Security: [$HOST] DISCARD" \
78 -A "X-Content-Security: [$HOST] REPORT: Trapped possible BugBear worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html"
79
80 }
81
82 :0 B E hfi
83 * H ?? ^Subject: A( (special|very))?[ ][ ][a-z]
84 * ^Content-Type:.*application/octet-stream
85 * ^Content-ID:
86 * ^Content-Transfer-Encoding: base64
87 * ^TVqQAAMAAAAEAAAA
88 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
89 -A "X-Content-Security: [$HOST] DISCARD" \
90 -A "X-Content-Security: [$HOST] REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html"
91
92 }
93
94
95 # Attempt to trap sendmail header exploit (signature as of 03/05/3003)
96 #
97 # CRITICAL NOTE: this WILL NOT protect the system it is installed on.
98 # It is intended to prevent a patched Sendmail from relaying an attack
99 # message onwards.
100 #
101 :0 hfi
102 * ^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notification|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
103 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
104 -A "X-Content-Security: [$HOST] QUARANTINE" \
105 -A "X-Content-Security: [$HOST] REPORT: Trapped possible sendmail header exploit"
106
107
108 # Trap SoBig (signature as of 06/26/2003)
109 #
110 :0
111 * > 100000
112 * < 120000
113 * ^Content-Type:.*multipart/mixed;
114 {
115 :0 B hfi
116 * ^Please see the attached zip file for details\.
117 * ^Content-Disposition: attachment;
118 * ^Content-Transfer-Encoding: base64
119 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"?
120 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"?
121 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
122 -A "X-Content-Security: [$HOST] QUARANTINE" \
123 -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html"
124 }
125
126
127 # Trap SoBig.F direct message (signature as of 08/21/2003)
128 # Thanks to Sergio Cesar <sergio@winc.net> for refinements
129 #
130 :0
131 * > 98000
132 * < 107000
133 * ^Content-Type:.*multipart/mixed;
134 * ^X-MailScanner: Found to be clean
135 {
136 :0 B
137 * ^(Please )?see the attached (zip )?file for details\.?
138 * ^Content-Disposition: attachment;
139 * ^Content-Transfer-Encoding: base64
140 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"?
141 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"?
142 {
143
144 # don't bother the sender, it's forged
145 SECURITY_NOTIFY_SENDER=
146
147 :0 hfi
148 | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
149 -A "X-Content-Security: [$HOST] DISCARD" \
150 -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig.F worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"
151
152 }
153 }
154
155
156 # Trap SoBig.F bounce message (signature as of 08/21/2003)
157 # Thanks to Sergio Cesar <sergio@winc.net> for refinements
158 #
159 :0
160 * > 98000
161 * < 107000
162 * ^FROM_DAEMON
163 * B ?? ^Content-Type:.*multipart/mixed;
164 * B ?? ^X-MailScanner: Found to be clean
165 {
166 :0 B
167 * ^(Please )?see the attached (zip )?file for details\.?
168 * ^Content-Disposition: attachment;
169 * ^Content-Transfer-Encoding: base64
170 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"?
171 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|details|application|document.*|movie.*|wicked_scr|your_document|thank_you)\.(zip|pif|scr)"?
172 {
173
174 # don't bother the sender, it's a bounce
175 SECURITY_NOTIFY_SENDER=
176
177 :0 hfi
178 | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
179 -A "X-Content-Security: [$HOST] QUARANTINE" \
180 -A "X-Content-Security: [$HOST] REPORT: Trapped bounced SoBig.F worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"
181
182 }
183 }
184
185
186 # Trap MiMail (08/01/2003)
187 #
188 :0
189 * > 10000
190 * < 50000
191 * ^Content-Type:.*multipart/mixed;
192 * ^From:.*admin@
193 * ^Subject:.*your account
194 {
195 :0 B hfi
196 * ^Content-Disposition: attachment;
197 * ^Content-Transfer-Encoding: base64
198 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?message\.zip"?
199 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?message\.zip"?
200 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
201 -A "X-Content-Security: [$HOST] QUARANTINE" \
202 -A "X-Content-Security: [$HOST] REPORT: Trapped MiMail worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html"
203 }
204
205
206 # SWEN (09/28/2003)
207 # originally by Sergey Latkin <slatkin@phg.com>
208 :0 D
209 * > 130000
210 * < 170000
211 * ^(FROM:|From:.*(MS|Microsoft|[Ss]torage|MAILER-DAEMON@|[Aa]dmin|[Dd]aemon|[Tt]echnical|[Pp]ostmaster))
212 * ^(TO:|To:.*(" "|[Cc]lient|[Cc]ustomer|[Cc]onsumer|[Pp]artner|[Rr]ecipient|[Rr]eceiver|[Uu]ser))
213 * ^(SUBJECT:|Subject:.*([Uu]pdate|[Uu]pgrade|[Pp]atch|[Bb]ug|[Ee]rror|[Cc]ritical|[Ss]ecurity))
214 {
215 :0 B hfi
216 * ^Content-ID:.*<.*>
217 * ^Content-Transfer-Encoding:.*base64
218 * ^Content-Type:.*audio/x-(wav|midi).*name *=.*\.(com|exe|bat|scr|pif)
219 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
220 -A "X-Content-Security: [$HOST] DISCARD" \
221 -A "X-Content-Security: [$HOST] REPORT: Trapped swen variant worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html"
222
223 :0 E B hfi
224 * ^Content-Type:.*text/html
225 * ^Content-Transfer-Encoding:.*(quoted-printable|7bit)
226 * ^(Microsoft|MS) (Client|Customer|User|Consumer|Partner)
227 * ^"September 20[0-9][0-9], Cumulative Patch"
228 * ^Content-ID:.*<.*>
229 * ^Content-Type:.*image/gif
230 * ^Content-Transfer-Encoding:.*base64
231 * ^Content-Type:.*application/x-msdownload.*name *=.*\.exe
232 | formail -A "X-Content-Security: [$HOST] NOTIFY" \
233 -A "X-Content-Security: [$HOST] DISCARD" \
234 -A "X-Content-Security: [$HOST] REPORT: Trapped swen variant worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html"
235
236 }
237
238
239 #
240 # Trap NovArg
241 # Signature as of 01/28/2004
242 # Worm is generating random filenames
243 #
244 :0
245 * > 20000
246 * < 60000
247 * ^Content-Type:.*multipart/(mixed|report);
248 * 9876543210^1 B ?? ^Content-Type:.*text/plain;.*charset *= *"?Windows-1252"?
249 * 9876543210^1 B ?? ^Content-Type:.*text/plain;.*$.*charset *= *"?Windows-1252"?
250 {
251 :0 B hfi
252 * ^Content-Disposition: attachment;
253 * ^Content-Transfer-Encoding: base64
254 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?[0-9A-Za-z]+\.zip"?
255 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?[0-9A-Za-z]+\.zip"?
256 | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
257 -A "X-Content-Security: [$HOST] DISCARD" \
258 -A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html"
259 }
260