email attack

[Bruce Marshall]

On Tuesday 23 September 2003 3:27 am, Roger Oberholtzer wrote:
> On Mon, 22 Sep 2003 14:45:19 -0500
>
> Jason Joines <joines at bus.okstate.edu> wrote:
> > Roger Oberholtzer wrote:
> > > On Mon, 2003-09-22 at 19:39, Jason Joines wrote:
> > >>Chris Kassopulo wrote:
> > >>>Greetings,
> > >>>
> > >>>For the last two days I've gotten 100's of emails containing exe
> > >>> files. Bogus microsoft updates and patches.  Each piece is
> > >>> around 150k which makes for a long download on dialup.  Are
> > >>> there any filters that can delete emails at the server that have
> > >>> an exe attached.
> > >>>
> > >>>I can put up with a little spam, but this is out of control.
> > >>>
> > >>>TIA
> > >>>
> > >>>Chris
> > >>
> > >>   I had this same problem, then checked the procmail mailing list
> > >>(nntp://news.gmane.org/gmane.mail.procmail) to see if anyone had a
> > >> good recipe for it.
> > >>   I created a mail folder called null that is just a symbolic
> > >> link to /dev/null and used this recipe that works great.
> > >>
> > >># swen
> > >>
> > >>:0 B:
> > >>
> > >>*
> > >>^ZGUuDQ0KJAAAAAAAAAB\+i6hSOurGATrqxgE66sYBQfbKATvqxgG59sgBLerGAdL1
> > >>zAEA6
> > >
> > >sYBWPXV>null
> > >
> > >
> > > I have set up procmail to move my incoming mail into a courier
> > > imap directory. At that time, I tried a simple (I thought) filter
> > > to move a few messages around. All went south very fast. So, given
> > > this complete procmail script that currently moves mail into my
> > > imap directory, what horror would I unleash if I added the above
> > > statements just above this rule (the only rule) in the file?
> > >
> > > 	:0:
> > >
> > > 	./
> > >
> > > I am an adventurous type of guy. I just did not like when my
> > > e-mail went away when I did what I thought was a simple filter.
> > >
> > > BTW, how did you come up with this rule? I do not see these
> > > numbers in the headers of the swen files I am getting. Of course,
> > > that would be too simple...
> > >
> > >
> > > Roger Oberholtzer		roger.oberholtzer at surbrunn.net
> > > Stockholm, Sweden		http://www.surbrunn.net
> >
> >    I think you'd be fine adding it just above.  I added it at the
> > top of mine.  It does some formail stuff, forwarding of copies, and
> > puts hundreds of mailing list messages into folders afterwards. 
> > It's all still working.
> >    I didn't come up with this.  The folks on the procmail list
> > (nntp://news.gmane.org/gmane.mail.procmail) did.  I believe that is
> > a string in the attachment, not from the headers.
> >    You can also use /dev/null directly instead of the sym link.  I
> > used that at first due to some file locking issues that turned out
> > to be unrelated.
>
> If I add it so that my procmail rule file is the following, all my
> e-mail
>
> goes away:
>   :0 B:
>
>   *
>   ^ZGUuDQ0KJAAAAAA[line too long]qxgG59sgBLerGAdL1zAEA6sYBWPXV
>   /dev/null
>


I think the '*' should be in front of the ^Z  above.  (on the same line 
and with a space after it)



>   :0:
>
>   ./
>
> (I shortened the rule line in this message because of line wrap
> suspicions.)
>
> If I have only my original rule (below) all is fine:
>   :0:
>
>   ./
>
> Someone hit me upside the head.
>
> I entered the rule EXACTLY as in the suggestion. But, perhaps, the ^Z
> line should really be on the previous line after the '*' ?? I can't
> really play with this as lost messages are lost business.

-- 
+----------------------------------------------------------------------------+
+ Bruce S. Marshall  bmarsh at bmarsh.com  Bellaire, MI         09/23/03 
08:33  +
+----------------------------------------------------------------------------+
"There are ten million stories in the Naked City."
"But no one can remember which one is theirs."  Laurie Anderson