The following should go into mime_header_checks.regexp assuming you're running Postfix. Which you should be.
/filename=\"?body.zip\"/ DISCARD Virus spam discarded (W32.Novarg.A@mm)
No point REJECTing it, since you'd just be sending it back to an already-infected victim.
=========================
*update*
OK, it turns out that the filename varies. For the moment, I'm dropping everything with a .zip attachment. I've gotten a HUGE surge in inbound email in the last 2 or 3 hours, MOST of it consisting of this virus message, and almost all of it is coming from two addresses: 63.164.145.33 and 63.164.145.161 I don't know who this is, but they are making dozens of connections per second to deliver mail. Or at least, they were, until I told the firewall about them.
I hope they stop soon.
CO_USA is ~postmaste@63.164.145.161 (John Doe), if you're on IRC right now.
Posted by: Richard Soderberg on March 2, 2004 09:54 AMThose are Kinkos IP addresses.
Kinkos, Inc. FON-1067749632866191 (NET-63-164-145-0-1)
63.164.145.0 - 63.164.145.255
OrgName: Kinkos, Inc.
OrgID: KINKOS-2
Address: 255 West Stanley Avenue
City: Ventura
StateProv: CA
PostalCode: 93002-8000
Country: US
NetRange: 63.164.145.0 - 63.164.145.255
CIDR: 63.164.145.0/24
NetName: FON-1067749632866191
NetHandle: NET-63-164-145-0-1
Parent: NET-63-160-0-0-1
NetType: Reassigned
Comment:
RegDate: 2002-04-11
Updated: 2002-08-08
TechHandle: IK81-ARIN
TechName: Kinkos, InfoSec
TechPhone: +1-805-652-4000
TechEmail: information.security@kinkos.com
They've probably fixed them by now, but it's still worth knowing for next time.
Posted by: Richard Soderberg on March 2, 2004 09:58 AM