Blocking w32.beagle.j with postfix
This new worm is particularly annoying, since an AV scanner may not catch it at the server level, the infected file is password protected. If you're running postfix, you can block the subjects it arrives with at the server level using header_checks.
In /etc/postfix/header_checks add these lines:
#
# w32.Beagle.j worm
#
/^Subject:.*E-mail account disabling warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*E-mail account security warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Email account utilization warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Important notify about your e-mail account/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Notify about using the e-mail account/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Notify about your e-mail account utilization/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Warning about your e-mail account/ REJECT Suspected W32.Beagle change subject
It will reject the email with the message "Suspected w32.beagle change subject". That's all, postfix rocks.
Comments
You could also look for a message-id that matches: <[a-z]{19}@
Posted by: Gavin | March 3, 2004 01:21 PM
Wouldn't that be a tad broad?
Posted by: kasia | March 3, 2004 02:04 PM
Thanks for the heads up
Posted by: david | March 3, 2004 06:13 PM
It may be a bit too broad I guess, though it's fairly unlikely that you'll get a real MessageID that's just 19 lowercase characters. I set up SpamAssassin rules (thanks mattriffle!) like:
header BAGLE_WORM_SUBJ1 Subject =~ /E-?mail account (security|utilization|disabling) warning\./
describe BAGLE_WORM_SUBJ1 Virus - Appears to be the W32/Bagle.j@MM worm
score BAGLE_WORM_SUBJ1 3.1
header BAGLE_WORM_SUBJ2 Subject =~ /((Important )?[Nn]otify|Warning) (about your|(about )?using the) e-mail account( utilization)?/
describe BAGLE_WORM_SUBJ2 Virus - Appears to be the W32/Bagle.j@MM worm
score BAGLE_WORM_SUBJ2 3.1
header BAGLE_WORM_MSGID MESSAGEID =~ /<[a-z]{19}\@/
describe BAGLE_WORM_MSGID MessageID suggests W32/Bagle.j@MM worm
score BAGLE_WORM_MSGID 2.5
Then I thought about it and added:
blacklist_from management@example.com
blacklist_from administration@example.com
blacklist_from staff@example.com
blacklist_from noreply@example.com
blacklist_from support@example.com
Where "example.com" is replaced my by real domain. That seems to be fixing it :)
Posted by: Gavin | March 4, 2004 05:06 PM
Procmail:
:0:
* ^Subject:.*E-mail account disabling warning
/dev/null
:0:
* ^Subject:.*E-mail account security warning
/dev/null
:0:
* ^Subject:.*Email account utilization warning
/dev/null
:0:
* ^Subject:.*Important notify about your e-mail account
/dev/null
:0:
* ^Subject:.*Notify about using the e-mail account
/dev/null
:0:
* ^Subject:.*Notify about your e-mail account utilization
/dev/null
:0:
* ^Subject:.*Warning about your e-mail account
/dev/null
Posted by: Brian | March 5, 2004 09:06 AM
Why does it matter that the attached ZIP file is password protected? You can still just look at the initial bytes of the attachment and use that as the fingerprint of this virus. Here is what I do on my mail server in my global /etc/procmailrc file:
:0 B
* ^(UEsDBAoAAAAAA|PK\003\004|MZ\220\000\003\000\000\000\004|UEsDBAoAAQAAA|TVqQAAMAAAAE|TVoAAAEAAA)
{
LOG=">>> /dev/null'ed worm/virus by body signature "
:0
/dev/null
}
Posted by: Rasmus | March 6, 2004 11:26 AM
If you're running postfix 2.0 or better, use DISCARD instead of REJECT, so that you're not sending copies of the virus in _your_ rejection letters to innocent bystanders. (virus from: lines are usually forged, after all).
Posted by: Harald | March 6, 2004 11:34 AM
Rasmus, I'm running a server with 40K messages received daily, this is more efficient and just as effective.
Harald, it's a REJECT because I may quite possibly have false postives. Normally I do discard email with virus attachments.
Posted by: kasia | March 6, 2004 12:04 PM