Need a SpamAssassin rule for sober.p worm

Posted on 2005-05-05
Medium Priority
Last Modified: 2010-04-21
I am running procmail with Spam Assassin 2.63 on a FreeBSD server.  I am new to spam assassin and have some difficulty understanding the syntax.  Does anyone have a rule written to filter out the bombardment of mail with the sober.p virus attached?  
The subject lines include:
Re: mailing error
Re: Registration Confirmation
Re: Your email was blocked
Re: Your Password

I also see that although spam assassin may mark many of these messages as spam, it still lets them through to the user.  Is there a way that they can be bounced or deleted immediately?
Please help, when our mailboxes fill up it shuts down our ecommerce shared webserver at Verio!
Question by:sfghadmin
LVL 40

Accepted Solution

jlevie earned 1000 total points
ID: 13942595
You'd be better served by installing an Anti-Virus scanner on your system and integrating it into your mail system. I think you can build ClamAV (http://www.clamav.net/) on FreeBSD and setting the system up to use MailScanner (http://www.mailscanner.info) would integrate the A/V and SpamAssassin checks on the mail stream.

FYI: I've seen more subject lines than that...

Assisted Solution

thehermit earned 1000 total points
ID: 14020546
ClamAV with Mailscanner strips the attachment, but still delivers the message.  To block the message, use the spamassassin rule bogus-virus-warnings.cf from http://www.timj.co.uk/linux/bogus-virus-warnings.cf

Otherwise, you can make your own rules as described at http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt based on the virus description at http://www.sarc.com/avcenter/venc/data/w32.sober.o@mm.html

I'm working on rules to block this as well.  Anybody got an SA ruleset specific to Sober that they want to share?

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question