[109534] in Cypherpunks
Re: Blocking the Melissa Trojan
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Sun Mar 28 08:18:38 1999
Date: Sun, 28 Mar 1999 08:01:00 -0500
To: cypherpunks@cyberpass.net
From: Robert Hettinga <rah@shipwright.com>
Reply-To: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
Resent-Date: Sun, 28 Mar 1999 07:14:06 +0200 (MET DST)
Date: Sat, 27 Mar 1999 20:12:22 -0800 (PST)
From: "John D. Hardin" <jhardin@wolfenet.com>
Reply-To: "John D. Hardin" <jhardin@wolfenet.com>
To: Brett Glass <brett@lariat.org>
cc: Procmail List <procmail@informatik.rwth-aachen.de>,
Bugtraq List <BUGTRAQ@netspace.org>
Subject: Re: Blocking the Melissa Trojan
Resent-From: procmail@informatik.rwth-aachen.de
Resent-Sender: procmail-request@informatik.rwth-aachen.de
On Sat, 27 Mar 1999, Brett Glass wrote:
>At 03:28 PM 3/27/99 -0800, John D. Hardin wrote:
>>On Sat, 27 Mar 1999, Brett Glass wrote:
>>
>>> Excellent. Is there a default "poisoned executables" file in the
>>> package? Or do admins have to construct a list themselves?
>>
>>They have to make it themselves if they wish to use the facility. The
>>web page has a suggested list of filenames.
>
> Sounds good. Now, for the next twist to the story.
>
> It turns out that the Melissa code also infects NORMAL.DOT, so that
> the computer starts producing infected documents. When one of those
> documents hits a machine that hasn't been infected yet, that machine
> sends out a barrage of e-mail.... Using the NEW document as the
> attachment! It'll have a different name. So, we also need to filter
> by subject and body.
That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...)
Per Aleph1:
The subject line is "important Message From <some user name>". The
body consist of the text "Here is that document you asked for...
don't show anyone else;-)".
That's fairly simple...
:0 H
* ^Subject:.*important Message From
{
:0 B
* Here is that document you asked for
* don't show anyone else
* ^Content-.*: .*\.do[ct]
{
LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '
:0
security-quarantine
}
}
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
52 days until Star Wars episode I
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
