This new worm is particularly annoying, since an AV scanner may not catch it at the server level, the infected file is password protected. If you're running postfix, you can block the subjects it arrives with at the server level using header_checks.
In /etc/postfix/header_checks add these lines:
#
# w32.Beagle.j worm
#
/^Subject:.*E-mail account disabling warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*E-mail account security warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Email account utilization warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Important notify about your e-mail account/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Notify about using the e-mail account/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Notify about your e-mail account utilization/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Warning about your e-mail account/ REJECT Suspected W32.Beagle change subject
It will reject the email with the message "Suspected w32.beagle change subject". That's all, postfix rocks.
TrackBack URL for this entry: http://www.unix-girl.com/mt/mt-tb.cgi/1146
You could also look for a message-id that matches: <[a-z]{19}@
#Wouldn't that be a tad broad?
#Thanks for the heads up
#It may be a bit too broad I guess, though it's fairly unlikely that you'll get a real MessageID that's just 19 lowercase characters. I set up SpamAssassin rules (thanks mattriffle!) like:
header BAGLE_WORM_SUBJ1 Subject =~ /E-?mail account (security|utilization|disabling) warning\./
describe BAGLE_WORM_SUBJ1 Virus - Appears to be the W32/Bagle.j@MM worm
score BAGLE_WORM_SUBJ1 3.1
header BAGLE_WORM_SUBJ2 Subject =~ /((Important )?[Nn]otify|Warning) (about your|(about )?using the) e-mail account( utilization)?/
describe BAGLE_WORM_SUBJ2 Virus - Appears to be the W32/Bagle.j@MM worm
score BAGLE_WORM_SUBJ2 3.1
header BAGLE_WORM_MSGID MESSAGEID =~ /<[a-z]{19}\@/
describe BAGLE_WORM_MSGID MessageID suggests W32/Bagle.j@MM worm
score BAGLE_WORM_MSGID 2.5
Then I thought about it and added:
blacklist_from management@example.com
blacklist_from administration@example.com
blacklist_from staff@example.com
blacklist_from noreply@example.com
blacklist_from support@example.com
Where "example.com" is replaced my by real domain. That seems to be fixing it :)
#Procmail:
:0:
* ^Subject:.*E-mail account disabling warning
/dev/null
:0:
* ^Subject:.*E-mail account security warning
/dev/null
:0:
* ^Subject:.*Email account utilization warning
/dev/null
:0:
* ^Subject:.*Important notify about your e-mail account
/dev/null
:0:
* ^Subject:.*Notify about using the e-mail account
/dev/null
:0:
* ^Subject:.*Notify about your e-mail account utilization
/dev/null
:0:
* ^Subject:.*Warning about your e-mail account
/dev/null
Why does it matter that the attached ZIP file is password protected? You can still just look at the initial bytes of the attachment and use that as the fingerprint of this virus. Here is what I do on my mail server in my global /etc/procmailrc file:
:0 B
* ^(UEsDBAoAAAAAA|PK\003\004|MZ\220\000\003\000\000\000\004|UEsDBAoAAQAAA|TVqQAAMAAAAE|TVoAAAEAAA)
{
LOG=">>> /dev/null'ed worm/virus by body signature "
:0
/dev/null
}
If you're running postfix 2.0 or better, use DISCARD instead of REJECT, so that you're not sending copies of the virus in _your_ rejection letters to innocent bystanders. (virus from: lines are usually forged, after all).
#Rasmus, I'm running a server with 40K messages received daily, this is more efficient and just as effective.
Harald, it's a REJECT because I may quite possibly have false postives. Normally I do discard email with virus attachments.
#Mensch, derzeit fühlen sich ja wirklich angenehm viele Idioten dazu angespornt, Netsky und Beagle-Varianten zu erstellen. Und zwar in einer Geschwindigkeit, in der der 6stündige Update-Rythmus von F-Prot nicht mehr genügt hat. Dank meiner phpMyAdmin-Ch
(read more)
March 3, 2004 06:18 AM
Kasia and her readers have some good info on blocking w32.beagle.j with postfix, procmail and spamassassin....
(read more)
March 5, 2004 05:20 PM