Re: [vps-mail] spam viruses really getting me down

[Abigail Marshall <abigailrm@xxxxxxxxx>]

Rae, this the Mytob virus, which is obviously polymorphous and
changing faster than clamav can keep up.  So here are the procmail
recipes I am using (obviously I have to be sure that no one is
actually using these emails for outgoing mail):

# Spoofed Senders
:0H
* >15000
* <50000
* ^From: (support|noreply|management|administration|staff|admin|service)@(domain1|domain2)\.com
{
	LOG="Spoofed Sender "
	:0 
	/var/mail/quarantine/spoofed
}

# New virus not being caught by clamav - 6/11/05
# identified as Mytob.DD
:0
* 1^0 B ?? The Domainname Support Team 
* 1^0 B ?? new-password\.zip
* 1^0 B ?? important-details\.zip

{
	LOG="New 2005 Virus " 
	:0 
	/var/mail/quarantine/spoofed2
}

This is run AFTER clamav.

Recipe #1 is for combinations of spoofed names I've seen, and may
catch many spammers as well - though it usually doesn't because of the
size specification, which is a range large enough to catch all the
viruses I've seen. (Mytob tends to be 42k)

Recipe #2 catches specific phrases that I've seen used in the virus
mail.  You just add more phrases as you've seen them.

I get a report every day of my procmail log (actually, these entries
are logged to a separate "virus.log").  If I get anything in one of
these quarantine files, I save it in the form of a text file to disk,
then go here & upload it:
http://test-clamav.power-netz.de/

This tells me whether clamav already has it in the database.
(Sometimes between the time that I've gotten the sample and submit it,
a new recipe has been added).

If clamav says it has it, I then usually check my clamd.log to see if
it is now catching that particular virus. I run freshclam once an hour
(24 times a day) so I get the updates relatively quickly.

If clamav doesn't identify it, I go here:
http://cgi.clamav.net/sendvirus.cgi

and submit the sample. (Note that they are requesting that you limit
submissions to two samples per day)

Once submit it, i delete the file containing the sample from my hard
drive and also delete the quarantine file.

The advantage of my system rather than /dev/null is that in the event
of a false positive, I've got the email .... and as noted I can send
the sample to clamav.

So far, the only time this has gotten past the above filters was when
it was a bounce message, which happened to correctly identify the
virus (as did my own computer av program, also updated multiple times
daily).
I don't understand why ISP's persist in configuring email with viruses
to bounce back to "sender", attaching the complete email.  I've yet to
see a virus that came "from" the domain it claims to be from.

-Abigail

======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).