Deposing Dictators

[Thomas Wouters]

On Sun, Aug 05, 2001 at 07:47:50PM -0400, Tim Peters wrote:

> [Neil Hodgson]
> >     This is not restricted to you. Large numbers of people have been
> > receiving these probably due to the Sircam worm/virus. I've received
> > some and I'm for the division change.

> Ah, *that's* what this is about -- "I send you this file in order to have
> your advice", etc.  webmaster at python.org has gotten hundreds of these,
> possibly thousands.  We thought they came from Stephen <wink>.  My primary
> ISP filters them out, so I've only seen about 50 of them; in *most* cases,
> the return address is in fact bogus, although I haven't seen that aspect
> confirmed in the tech reports.

For those that wish to filter SirCam, and use procmail, put this in your
procmailrc:

:0 :
* ^Content-Type: multipart/mixed; \
   boundary="----[0-9A-F]+_Outlook_Express_message_boundary"
* B ?? ^Content-(Type|Disposition):.*name=.*\
        \.(doc|xls|zip|txt|gif|jpg)\.(com|bat|pif|lnk|exe)
sircam

It filters based on two things: a boundary string that seems to be fairly
unique to SirCam (contrary to what it looks like, Outlook Express doesn't
seem to use that boundary itself) and of course the presense of an
attachment with two extensions (also pretty unique to SirCam.) We use it for
a number of 'public' email addresses, and we haven't seen any false
positives yet.

If you're secure enough to throw all that mail out, instead of placing it in
a 'sircam' folder, you can change the last line from 'sircam' to
'/dev/null', and the first line to just ':0' (the last : does locking, which
you don't want to do on /dev/null).

Tim, I know you're too windows-based to do procmail filtering, but if I were
you, I'd get Barry or whoever to put such a filter on webmaster at python.org :)

-- 
Thomas Wouters <thomas at xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!