Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Quick sendmail filter for "new photos from my party!" virus

0 views
Skip to first unread message

Ben Gertzfield

unread,
Jan 28, 2002, 2:41:46 AM1/28/02
to
I'm not sure exactly what this virus is -- a Google search turned up
nothing -- but at about 07:20 GMT today (2002-02-28), our mail servers
started getting hundreds of identical messages from many of our
employees (email addresses changed to protect the innocent):

==BEGIN==

From: abc...@xyz.jp
Subject: new photos from my party!
To: a...@xyz.jp
Date: Mon, 28 Jan 2002 16:24:32 +0900 (JST)

Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!


[2. application/x-msdos-program; www.myparty.yahoo.com]...

==END==

The attachment is actually a uuencoded x86 executable of some sort.
I'm not about to open it to find out what it is. :)

Since every single mail comes with the same Subject: line and there
are no other distinctive characteristics of the mail, I have written
up a quicky, stupid Sendmail filter to block all mails with the
Subject: line "new photos from my party!"

The filter is below, and also is always available from:

http://nausicaa.interq.or.jp/party/partyhack.txt

Enjoy!

# Kludge to bounce "party"-infected emails. Works because (so far)
# all mails with this virus have the Subject:
#
# new photos from my party!
#
# Add this *verbatim* (no cut-and-paste, it contains tabs that must stay
# tabs!) to the local rulesets bit of your sendmail.mc, then rebuild the
# sendmail.cf file.
#
# 2002-01-28 written by Ben Gertzfield <b...@gmo.jp>
#
# Always available at:
# http://nausicaa.interq.or.jp/party/partyhack.txt
#
# Based on sircamhack.txt by Koos van den Hout
# http://idefix.net/~koos/

HSubject: $>Check_party_header
D{Partypat}new photos from my party\!

SCheck_party_header
R${Partypat} $* $#error $: 553 This message MAY contain the Party virus

William Gee XI

unread,
Jan 28, 2002, 6:43:51 AM1/28/02
to
Thank you Ben! Works like a champ!


Ben Gertzfield <c...@debian.org> wrote in message news:<87lmeir...@nausicaa.interq.or.jp>...

Paul

unread,
Feb 3, 2002, 8:33:34 AM2/3/02
to
Thanks!!

Suresh Ramasubramanian

unread,
Feb 3, 2002, 8:36:51 AM2/3/02
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "pcortes" == pcortes <pco...@boxnetworking.com> writes:
pcortes> Thanks!!

Use something like
http://www.impsec.org/email-tools/procmail-security.html

-srs

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE8XTzzRB4r9e3t77kRAtBrAKCyP791DL5ejCqaoYe6wLyzU8MZKACeONGw
YmSBJ2IxWqGm925SUViLN/A=
=iA9S
-----END PGP SIGNATURE-----

0 new messages