[Mimedefang] Bagle-Q and Bagle-R
Joseph Brennan
brennan at columbia.edu
Thu Mar 18 12:16:11 EST 2004
--On Thursday, March 18, 2004 4:54 PM +0100 Andrzej Marecki
<amr at astro.uni.torun.pl> wrote:
> Unlike most email viruses, Bagle-Q and Bagle-R worms do not carry email
> attachments. It's not clear to me whether they get caught on Un*x based
> mailservers running MIMEDefang + Sophie. Any clues?
So far, you can catch Bagle pretty good by the From: line (not the
$Sender, unfortunately, but the header From:). Those of us who open
HEADERS anyway can grab the From: address and see if it has
/(staff|management|support|administration|noreply|antispam|antivirus)/
followed by @ and your own domain and tld, e.g. staff at columbia.edu
for our site.
It won't last. But right now it's a quick way to toss them without
opening the body at all.
Of course this assumes that you don't send real mail with those addresses
in the From: header line.
In general, you might want to disable OBJECT and SCRIPT html tags.
I posted code to do this recently. You have to open html parts and
rewrite them when they have the tags.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
More information about the MIMEDefang
mailing list