[Mailman-Developers] New emerging virus/worm. Grr.

[Phil Barnett]

On Tuesday 23 April 2002 06:02 pm, you wrote:
> >> A new emerging worm is out there in windows land. That's bad
> >> enough, but
> >
> > Jeez, chuq, where have you been?  I've been dealing with klez for
> > *months*.  Our central scanners nail about 1,400 of them *a day*.
>
> This is a new variant, not the old Klez. And it's getting worse.

This is what I have in my "Hold posts with header value matching a 
specified regexp" field.

I decided about a month ago that I will no longer tolerate attachments 
going through automatically. It does require me to be more vigilant, 
but it has stopped everything so far. As you can see, some of these are 
quite specific from repeat offenders that spam in plain text. But the 
generic ones are great for stopping virus attachments from going 
anywhere. I got two of my list regulars, one from Europe and one from 
the Far East to help me admin the list to let legitimate attachments 
through in a reasonable period of time. Generally, the delay is less 
than 30 minutes from the time one is posted until it is released.

I stopped four viruses these from going out today, which means that 300 
list members were spared virus attacks 4 times. So, I stopped Klez 1200 
times today by having to moderate 4 messages. Pretty good trade, if you 
ask me.

# Lines that *start* with a '#' are comments.
to: friend@public.com
message-id: relay.comanche.denmark.eu
from: list@listme.com
from: .*@uplinkpro.com
from: .*@lithesoft.com
from: .*@paid4survey.net
from: .*@freegift4u.com.*
subject: .*@Podtal.*
from: .*etoyshop.*
from: .*bdavisa.*
subject: .*new photos from my party.*
Content-type: text/html
Content-type: text/enriched
Content-type: text/x-vcard
Content-type: multipart/alternative
Content-type: multipart/related
Content-type: multipart/mixed
Content-type: application/octet-stream
Content-Disposition: attachment
from: .*@lehugo.com.br.*