email attack

Jason Joines joines
Mon May 17 11:53:59 PDT 2004 

Roger Oberholtzer wrote:
> On Mon, 2003-09-22 at 19:39, Jason Joines wrote:
> 
>>Chris Kassopulo wrote:
>>
>>>Greetings,
>>>
>>>For the last two days I've gotten 100's of emails containing exe files.
>>>Bogus microsoft updates and patches.  Each piece is around 150k which
>>>makes for a long download on dialup.  Are there any filters that can
>>>delete emails at the server that have an exe attached.
>>>
>>>I can put up with a little spam, but this is out of control.
>>>
>>>TIA
>>>
>>>Chris
>>
>>
>>   I had this same problem, then checked the procmail mailing list 
>>(nntp://news.gmane.org/gmane.mail.procmail) to see if anyone had a good 
>>recipe for it.
>>   I created a mail folder called null that is just a symbolic link to 
>>/dev/null and used this recipe that works great.
>>
>># swen
>>:0 B:
>>* 
>>^ZGUuDQ0KJAAAAAAAAAB\+i6hSOurGATrqxgE66sYBQfbKATvqxgG59sgBLerGAdL1zAEA6sYBWPXV
>>null
> 
> 
> I have set up procmail to move my incoming mail into a courier imap
> directory. At that time, I tried a simple (I thought) filter to move a
> few messages around. All went south very fast. So, given this complete
> procmail script that currently moves mail into my imap directory, what
> horror would I unleash if I added the above statements just above this
> rule (the only rule) in the file?
> 
> 	:0:
> 	./
> 
> I am an adventurous type of guy. I just did not like when my e-mail went
> away when I did what I thought was a simple filter.
> 
> BTW, how did you come up with this rule? I do not see these numbers in
> the headers of the swen files I am getting. Of course, that would be too
> simple...
> 
> 
> Roger Oberholtzer		roger.oberholtzer at surbrunn.net
> Stockholm, Sweden		http://www.surbrunn.net
> 

   I think you'd be fine adding it just above.  I added it at the top of 
mine.  It does some formail stuff, forwarding of copies, and puts 
hundreds of mailing list messages into folders afterwards.  It's all 
still working.
   I didn't come up with this.  The folks on the procmail list 
(nntp://news.gmane.org/gmane.mail.procmail) did.  I believe that is a 
string in the attachment, not from the headers.
   You can also use /dev/null directly instead of the sym link.  I used 
that at first due to some file locking issues that turned out to be 
unrelated.

More information about the Linux-users mailing list