"Greetings"

Julian Field mailscanner at ecs.soton.ac.uk
Fri Oct 25 16:58:53 IST 2002 

I have found a much easier solution (with credit to Quentin for his
previous posts on SA rules).

I added this to /usr/local/MailScanner/etc/spam.assassin.prefs.conf

header FRIENDLY_GREETINGS       Subject =~ /you have an E-Card from/i
describe FRIENDLY_GREETINGS     Nasty E-card from FriendlyGreetings.com
score   FRIENDLY_GREETINGS      200.0

That added a score of 200 to any email containing that in the subject line.
No code required.

I'll include that extra rule (with maybe a score of 100) in my distribution
so people are protected if they use SpamAssassin.

The drawback of treating it like a virus is that any conversation about
this problem will get binned by MailScanner so you can't read it. Treating
is as high-scoring spam will allow your users to make up their own mind
(unless you stop delivery of high-scoring spam).

At 16:46 25/10/2002, you wrote:
>Julian,
>    I vote for #1 (virus), since this is a "social engineering" virus,
>aka "trick the user into doing something stupid" virus.
>
>When I saw the Sophos blurb this morning, I put both the "FriendGreetings.com"
>domain and the entire class C netblock "65.89.168." (the hosting ISP for them)
>into my sendmail block lists, and modified my junkfilter/procmail rulesets to
>trap anything with the subject line.  No mercy for these creeps.
>
>** Jeff A. Earickson, Ph.D
>** Senior UNIX Sysadmin, Information Technology
>** Colby College, 4214 Mayflower Hill,
>** Waterville ME, 04901-8842
>** phone: 207-872-3659 (fax = 3076)
>
>On Fri, 25 Oct 2002, Julian Field wrote:
>
> > Date: Fri, 25 Oct 2002 16:35:38 +0100
> > From: Julian Field <mailscanner at ECS.SOTON.AC.UK>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: "Greetings"
> >
> > By the way, it will take considerably longer to write (2 spam) than to
> > write (1 virus).
> >
> > Here, I do it with sendmail anyway, but it's not trivial to do it that way.
> >
> > >Would people prefer
> > >1) Replace the content of messages containing "nasty" headers such as
> > >this, as if it was a virus
> > >2) Just flag is as spam and handle according to the normal "Spam Actions"
> > >?
> > >
> > >I'm writing (1) at the moment, but it just occurred to me that (2) might
> > >be better.
> > >
> > >Your votes please...
> > >

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list