Filtering Mydoom/Novarg worm with procmail

The following procmail script is based on the script originally found at linuxbandwagon.com called “Fighting spam with procmailrc”.

For a server wide implimentation the script should be placed in the file
/etc/procmailrc . Remember to clear the /tmp/virus.sav file regularly on high traffic servers to avoid cluttering up the /tmp folder
If you are happy that the script wont stop legitimate traffic you can trash the virus by changing /tmp/virus.sav to /dev/null

How does it work.

The script is fairly simple in operation. It just searches each email for the string “name=” followed by the attachment name. If this string is found the email is redirected to the tmp folder. I actually redirect to a virus file in my mail folder and use usermin to view the subjects to check for false hits. The list of attachment names comes from description of the worm that were posted online after initial analysis from anti-virus companies. There may be other attachment names that I haven’t covered. The script however has being effective in catching the worm so far.

Because this page is becoming fairly popular I’ve added an easy to cut and paste version below – just highlight the text below then copy into your own procmail file

---procmailrc---
VERBOSE=off
LOGFILE=/var/log/virus.log
SUBJECT=`formail -xSubject:`
ARRIVED=`formail -xDate:`
TOEMAIL=`formail -xTo:`
SENDMAIL=/usr/sbin/sendmail
## Check if already scanned
:0 H
* !^X-Loop: Attachment scanner
{
:0 f ## Add header
|formail -A"X-Loop: Attachment scanner"
# Look for Worm Attachment in body
:0 B
* name=.*(document|readme|doc|text|file|data|test|message|body)\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|shs|bat|bas|scr|cmd|zip)
{
:0
/tmp/virus.sav

}
}

John built his first website in 1995, With a reputation for being The Internet Guru, he has become the Internet go-to guy for his clients and friends by helping them make sense of the online world, solving their problems and making Internet easy. - John's Website

Posted in Anti Spam