lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: stuart at (lsi)
Subject: (Fwd) how to filter the xmas virus

------- Forwarded message follows -------
From:           	lsi <>
Subject:        	how to filter the xmas virus
Send reply to:
Date sent:      	Fri, 17 Dec 2004 12:57:48 -0000

Hmm, the Xmascard virus uses different headers and so skipped past my 
existing filters, until I added the strings below:


What to do with those strings?  Well, you need to tell your mail 
processing software to find messages with those strings in it, and 
any it finds, flag them as a likely virus, and filter them out of the 
inbox somehow.

The strings above can be used in a variety of situations: on an SMTP 
server (qmail, for example), in a spamfilter (such as SpamPal), or 
indeed in a POP3 client such as Pegasus Mail.

There's a few other strings, those are the new ones required to 
filter the xmas virus.

I have details on how to do it with Pegasus here:

The SpamPal syntax is:

# +++++++++++++++++++++++++++++
# ++ generic MIME signatures ++
# +++++++++++++++++++++++++++++
# use these to filter mails based on their MIME content

=Line: 9999 {^TVqQAAMAAA*} [MIMEAV: Win32 executable variant 1]
=Line: 9999 {^TVoAAAEAAAA*} [MIMEAV: Win32 executable variant 2]
=Line: 9999 {^TVoAAAAAAAAAAAAAUEUAAE*} [MIMEAV: Win32 executable 
variant 3]

=Line: 9999 {^UEsDBAoAA*} [MIMEAV: Zipfile variant 1]
=Line: 9999 {^UEsDBBQAA*} [MIMEAV: Zipfile variant 2]

In Spampal, if you place these filters into the top of your 
DEFAULT_FILTERS.DAT file rather than in your FILTERS_VIRUS.DAT file, 
you will experience a significant performance boost.  You can even 
comment out the call to filters_virus, since these work better.

In general, the further back toward the source that filtering is 
applied, the less time/money/resources are wasted processing the 
filtered material.

Happy Hollydays :)


------- End of forwarded message -------

Stuart Udall
stuart net -

 * Origin: lsi: revolution through evolution (192:168/0.2)

Powered by blists - more mailing lists