So, I installed SpamAssassin. It's been only a few hours, and I love it already. Unfortunately one of the things I'd hope it would catch, it doesn't--the klez worm and its kindred. I've no complaints about that, though, as it never claimed it did, and what it does it does really well.
Since I still want Klez dead, that means Plan B. In this case, MIMEDefang from Roaring Penguin. That's fine, except it wants Sendmail 8.12.x, while I'm running a RedHat build of 8.11.x. (Which I manage, no less, through the mailconf portion of linuxconf) There are many things I like doing, but rebuilding sendmail is not one of them. Every time I do, something gets screwed up, probably because I insist on using a custom config setup with a tool that hates custom configs. (I keep my mailing list aliases in a separate aliases file, though given how often they change there's little point these days)
Of course, I'm also running a 2.2.something linux kernel, with an older glibc, so I have no doubt that when I go to build the new sendmail I'll find a dozen other upgrades needed, and each of those will will want a dozen upgrades more...
It's times like this I really miss the VMS "stable API with backwards compatibility" mindset. :(
--Nat
Re:procmail the bastard
Elian on 2002-05-09T18:39:28
Hrm. Sounds like a good thing to add to SpamAssassin's ruleset. I think I shall go do that. Thanks!Klez rule's in
Elian on 2002-05-09T18:54:53
We'll see if it catches non-klez mail, but for now, this SpamAssassin rule:
rawbody CONTENT_ID/^Content-ID:/is
describe CONTENT_ID Content-id in the body usually means Klez
score CONTENT_ID 5.6
looks to be a winner.
Re:qpsmtpd
Elian on 2002-05-09T18:38:53
Yeah, but that'd require using qmail. Alas, I have non-technical issues with it, so I don't. (Not that I'd be looking forward to getting the sendmail->qmail transition done well--I'm not a Unix sysadmin by trade)
Re:Viruses
Elian on 2002-05-09T23:04:02
I'm fine with SpamAssassin not doing virus detection. (Not that it matters, as there aren't any functional WinBoxes around the house) I was just kinda hopeful that the klez worm mail would have a distinctive enough signature that it'd be able to detect it without me actually having to do any work.:)
Still, can't complain--it works as advertised, and rather well at that. And thanks to Nat, I managed to abuse it into doing things it didn't advertise, so I'm happy. It's on my permanent list 'o cool system utilities.
Now if we could just get these twits to stop doing this sort of nonsense in the first place....Re:Viruses
Matts on 2002-05-10T01:02:11
Now if we could just get these twits to stop doing this sort of nonsense in the first place....
Hey don't say that! If it wasn't for microsoft and their great security I wouldn't have a job;-)
I'd give you the key to detecting all Klez variants if I knew exactly what it was myself, but I can't grok our AV guy's code. It's something to do with disassembling the PE code (Win32 binary) and detecting it based on the lack of the CompanyName header in there. Or something like that.
Also of interest may be OpenAntiVirus.Re:Viruses
Elian on 2002-05-10T01:09:33
I'm sure you could find something useful to do with your time if you weren't writing virus filtering code.:)
I threw a rule with a weight of 5.6 in my SpamAssassin config files for messages with a Content-ID: header in the body. Rumor has it that it's not a 100% guarantee, but it's working as a filter trigger for me.
