email attack

Roger Oberholtzer roger
Mon May 17 11:54:00 PDT 2004 

On Mon, 22 Sep 2003 14:45:19 -0500
Jason Joines <joines at bus.okstate.edu> wrote:

> Roger Oberholtzer wrote:
> > On Mon, 2003-09-22 at 19:39, Jason Joines wrote:
> > 
> >>Chris Kassopulo wrote:
> >>
> >>>Greetings,
> >>>
> >>>For the last two days I've gotten 100's of emails containing exe files.
> >>>Bogus microsoft updates and patches.  Each piece is around 150k which
> >>>makes for a long download on dialup.  Are there any filters that can
> >>>delete emails at the server that have an exe attached.
> >>>
> >>>I can put up with a little spam, but this is out of control.
> >>>
> >>>TIA
> >>>
> >>>Chris
> >>
> >>
> >>   I had this same problem, then checked the procmail mailing list 
> >>(nntp://news.gmane.org/gmane.mail.procmail) to see if anyone had a good 
> >>recipe for it.
> >>   I created a mail folder called null that is just a symbolic link to 
> >>/dev/null and used this recipe that works great.
> >>
> >># swen
> >>:0 B:
> >>* 
> >>^ZGUuDQ0KJAAAAAAAAAB\+i6hSOurGATrqxgE66sYBQfbKATvqxgG59sgBLerGAdL1zAEA6
> >sYBWPXV>null
> > 
> > 
> > I have set up procmail to move my incoming mail into a courier imap
> > directory. At that time, I tried a simple (I thought) filter to move a
> > few messages around. All went south very fast. So, given this complete
> > procmail script that currently moves mail into my imap directory, what
> > horror would I unleash if I added the above statements just above this
> > rule (the only rule) in the file?
> > 
> > 	:0:
> > 	./
> > 
> > I am an adventurous type of guy. I just did not like when my e-mail went
> > away when I did what I thought was a simple filter.
> > 
> > BTW, how did you come up with this rule? I do not see these numbers in
> > the headers of the swen files I am getting. Of course, that would be too
> > simple...
> > 
> > 
> > Roger Oberholtzer		roger.oberholtzer at surbrunn.net
> > Stockholm, Sweden		http://www.surbrunn.net
> > 
> 
>    I think you'd be fine adding it just above.  I added it at the top of 
> mine.  It does some formail stuff, forwarding of copies, and puts 
> hundreds of mailing list messages into folders afterwards.  It's all 
> still working.
>    I didn't come up with this.  The folks on the procmail list 
> (nntp://news.gmane.org/gmane.mail.procmail) did.  I believe that is a 
> string in the attachment, not from the headers.
>    You can also use /dev/null directly instead of the sym link.  I used 
> that at first due to some file locking issues that turned out to be 
> unrelated.

If I add it so that my procmail rule file is the following, all my e-mail
goes away:

  :0 B:
  *
  ^ZGUuDQ0KJAAAAAA[line too long]qxgG59sgBLerGAdL1zAEA6sYBWPXV
  /dev/null

  :0:
  ./

(I shortened the rule line in this message because of line wrap
suspicions.)

If I have only my original rule (below) all is fine:

  :0:
  ./

Someone hit me upside the head.

I entered the rule EXACTLY as in the suggestion. But, perhaps, the ^Z line
should really be on the previous line after the '*' ?? I can't really play
with this as lost messages are lost business.

-- 
+????????????????????????????+???????????????????????????????+
? Roger Oberholtzer          ?   E-mail: roger at opq.se        ?
? OPQ Systems AB             ?      WWW: http://www.opq.se/  ?
? Erik Dahlbergsgatan 41-43  ?    Phone: Int + 46 8   314223 ?
? 115 34 Stockholm           ?   Mobile: Int + 46 733 621657 ?
? Sweden                     ?      Fax: Int + 46 8   302602 ?
+????????????????????????????+???????????????????????????????+

More information about the Linux-users mailing list