Like a lot of people, I've been getting a lot of email as a result of the Sobig.F trojan. It doesn't look like it's going to let up any time soon, either. And while I'm completely immune to the effects of the trojan, I'm very much not immune to having my inbox fill up from hundreds of bogus emails every few hours.
If you have your mail delivered by a Linux or Unix (or even Mac OS X) mail server, chances are that you have procmail installed. If not, get it. It works very well. (If you have an account at Hurricane Electric, then you have procmail already.) Once you know you can use procmail, create a file in your home directory called .procmailrc. In it, add the following lines:
:0 B
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
/dev/null
That will send every email which has an attachment with the extensions .pif or .exe or .scr to the bit bucket. You won't see any more Sobig emails ever again. There's a downside, though: if someone sends you a "real" email with an executable (like a self-extracting zip file, a program to run, etc.) attached, you won't see that either. And it's non-recoverable. Once somethimg gets sent to /dev/null it's gone forever. I personally never want any executable attachments sent to me, so I'm fine with always throwing them away. If you'd rather send the filtered email to a folder, just change the last line to something like this:
/home/wee/mail/trojan
(Obviously, unless your username is 'wee', you should change it to reflect your account.) Once it's set up that way, you can go through the 'trojan' folder and see what's being filtered. If, after a suffcienly long length of time, you decide that no "real" email has been wrongly maligned, you can simply change the target line back to /dev/null.
BTW, you can also use procmail to filter out normal spam and such. I use it to "blackhole" certain email addresses. I even block whole domains. For example, I will never get any mail from mp3.com (because they just refuse to stop spamming me) or shaw.ca (because 99% of all the email I get from that ISP is spam). Once you start using procmail it's nearly unthinkable to go without it.
Wow. Great stuff. I am most certainly going to put that info into use within the week. I wish I had known about that before. Can I somehow set procmail to block mail with certain keywords in the subject header (i.e. Viagra, etc.)? I can't tell you how tired I am of receiving spam about free Viagra, free online pharmacy nonsense, penis enlargement (I believe I saw Tracy mention getting these awhile back), septic tank cleaning, etc. And don't get me started on those Nigerian spammers. Although I have found a handful of sites that have had some fun with those guys and managed to extract a bit of poetic justice for all of the rest of us.
I am also tired of receiving emails as a result of sobig. Although, I may be tired for a different reason than you. I don't believe I have received many spam emails with sobig attached. HOWEVER, I certainly *have* received far too many emails from companies and ISPs whose virus/worm filters have caught sobig being "sent" by me. I don't have sobig. I don't open attachments. Period. Even from people I know. Ever. However, apparently one or more people I know (or at least people who have my email addy in their address book or in/out folder) DO have sobig and it's spoofing my address. I even got a personal email from some guy the other day cussing me out and threatening me for "trying to send him a virus." I explained to him what the deal was and he seemed to calm down.
If only the creators of these things would find a better way to get their 15 minutes of fame. I mean, go hack a corporate website and put pr0n up or something. Leave the little guy alone.
-S.
Posted by Shane at August 24, 2003 5:20 AMBlock emails on subject? Of course! Easy! Done all the time! Try something like this:
:0
* ^Subject:.ADV:.*
/home/username/mail/spam
First, change, the word 'username' in the last line to whatever your mail account name is. When you get mail that starts with the string 'ADV', it'll go into the spam folder. Look at that folder once a month or so, make sure nothing is addressed to you, and delete the whole lot of it. Problem solved.
Posted by wee at August 26, 2003 7:24 PMit might be worth your while to check out bogofilter. it's a bayesian filtering system that works well with procmail.
Posted by bob at August 27, 2003 6:51 PMI have been very happy with spam assassin (spamassassin.org) - seems to catch and filter around 95% of spam
Posted by Steve at January 1, 2004 3:30 PM