[Mailman-Developers] New emerging virus/worm. Grr.
Phil Barnett
midnight@the-oasis.net
Tue, 23 Apr 2002 21:10:19 -0400
On Tuesday 23 April 2002 06:02 pm, you wrote:
> >> A new emerging worm is out there in windows land. That's bad
> >> enough, but
> >
> > Jeez, chuq, where have you been? I've been dealing with klez for
> > *months*. Our central scanners nail about 1,400 of them *a day*.
>
> This is a new variant, not the old Klez. And it's getting worse.
This is what I have in my "Hold posts with header value matching a
specified regexp" field.
I decided about a month ago that I will no longer tolerate attachments
going through automatically. It does require me to be more vigilant,
but it has stopped everything so far. As you can see, some of these are
quite specific from repeat offenders that spam in plain text. But the
generic ones are great for stopping virus attachments from going
anywhere. I got two of my list regulars, one from Europe and one from
the Far East to help me admin the list to let legitimate attachments
through in a reasonable period of time. Generally, the delay is less
than 30 minutes from the time one is posted until it is released.
I stopped four viruses these from going out today, which means that 300
list members were spared virus attacks 4 times. So, I stopped Klez 1200
times today by having to moderate 4 messages. Pretty good trade, if you
ask me.
# Lines that *start* with a '#' are comments.
to: friend@public.com
message-id: relay.comanche.denmark.eu
from: list@listme.com
from: .*@uplinkpro.com
from: .*@lithesoft.com
from: .*@paid4survey.net
from: .*@freegift4u.com.*
subject: .*@Podtal.*
from: .*etoyshop.*
from: .*bdavisa.*
subject: .*new photos from my party.*
Content-type: text/html
Content-type: text/enriched
Content-type: text/x-vcard
Content-type: multipart/alternative
Content-type: multipart/related
Content-type: multipart/mixed
Content-type: application/octet-stream
Content-Disposition: attachment
from: .*@lehugo.com.br.*