Sunday, January 6

Procmail rule for the Storm Worm

Check this out

* ^Subject:.*((A fresh|As the|It\'s the|Blasting|As you embrace another|Joyous|Happy 2008|Happy|Lots of greetings on the)(((n|N)ew)((y|Y)ear))|New Hope and New Beginnings|(Ecard|Postcard|wishes for You))
:0 B
* ^http.*((((happy|familypost|fresh|newyear|post(\-)?|parents|santap)cards)|hellosanta|hohoho|santawishes)(2008)?)|(you|u)havepostcard|merrychristmasdude|worldlcasino|happy2008toyou|winbnow)
${MAILDIR}/.spam/tmp $MAILDIR/.spam/new

I started going through all the Storm worm emails that I've been getting, took all the domains, and made a procmail rule out of them.  Now, it's quite a big list with lots of 'or' statements.  I haven't sped it up or optimized it any, so we'll see how it works.  If you have suggestions for making it faster, please feel free to get back to me.   Hopefully this helps you out a bit.  Or, if you have made some rules, please submit them back here.

Subscribe in a reader


Cd-MaN said...

Hmmm, AFAIK Storm sends the e-mails from infected PC's ("bots"), so looking at the domains corresponding to the reverse-dns'd IP isn't useful since it is a very diverse and ever-growing list?

Or maybe I misunderstood and you were referring to the domains of the spoofed "from" fields...

Joel Esler said...

The rule is merely filtering out the thousands of emails that storm sends out. By sending those emails to dev/null, maybe no one can click on them. Of course every variant of the storm worm will be different, but this is a start.