Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a Mail rule to block the w32.sobig.f spam worm Apps
Andrew Stone of Stone Design sent in a submission for dealing with the w32.sobig.f worm that's currently filling many OS X users' mailboxes with hundreds of junk emails. I had also received a couple emails from users about the flood of email, and had started working on the same thing last night. Since it appears to be hitting a large number of people, here's Andrew's Mail rule which will automatically delete the vast majority of these worm spams. You can read more about the worm on Symantec's site.

Create a new Mail rule, and set "If 'any' of the following conditions are met," and add all of these conditions:
  • Subect - Ends with - My details
  • Subect - Ends with - Your details
  • Subect - Ends with - Your application
  • Subect - Ends with - Wicked screensaver
  • Subect - Ends with - That movie
  • Subect - Ends with - Approved
  • Subect - Ends with - Details
  • Subect - Ends with - Thank you!
  • From - Is equal to - admin@internet.com
In the "Perform the following actions" section of the dialog, set the first action to "Delete message" and the second to "Stop evaluating rules." Make this new rule the first rule in your rules list, so it runs before everything else. Andrew created an image that displays the finished rule.

The macosxhints mail server has some spam-killing software installed, and it's done a good job at sheltering my inbox from the onslaught, but I still received over 50 of these in the last 24 hours. I've now added the above rule to my Mail rule definitions, though I choose to transfer them to a "Probably Junk" mailbox as opposed to deleting them. That way, I can review them just to be sure none are "real" emails (in particular, the "Thank you!" condition will probably catch a couple real emails).

Side note: Yes, just two hints today ... sorry, but that's the way it goes sometimes!
    •    
  • Currently 1.50 / 5
  You rated: 2 / 5 (4 votes cast)
 
[25,883 views]  

Create a Mail rule to block the w32.sobig.f spam worm | 28 comments | Create New Account
Click here to return to the 'Create a Mail rule to block the w32.sobig.f spam worm' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
.mac email being filtered
Authored by: elcuco on Aug 20, '03 10:22:49AM

The emails are annoying but at least we are automatically by not using a Microsoft OS. .Mac email also filters out the virus before it hits your inbox. All it sends is a notification that the message was infected.



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: designr on Aug 20, '03 12:39:11PM

SpamSieve learned how to delete these in like 4 seconds...I haven't seen one since.



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: bustthis on Aug 20, '03 01:51:59PM

i use mailsmith 2.0 with spamsieve 1.3.1 and have had no such luck. i have received hundreds and hundreds of these emails and they all seem go into my inbox.

i have tried to apply this filter in mailsmith, but it's not working and these emails are so annoying. if anyone is using mailsmith and/or spamseive, can you help me out?

my filter is applied to the trash folder and it looks like this:
if Subect - Ends with - My details
and Subect - Ends with - Your details
and Subect - Ends with - Your application
and Subect - Ends with - Wicked screensaver
and Subect - Ends with - That movie
and Subect - Ends with - Approved
and Subect - Ends with - Details
and Subect - Ends with - Thank you!
and From - Is equal to - admin@internet.com

transfer - trash
stop filtering this message

it's not moving them to the trash and spamseive only marks some of them as spam.

please help!!!



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: ashill on Aug 20, '03 02:41:11PM

Don't you want 'or', not 'and'? It'll be hard to find a subject that ends with all of those phrases.

-Alex Hill



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: bustthis on Aug 20, '03 03:01:01PM

duh, stupid me... see, this is what i need you guys for!!! thanks, it seems to work, now if i could figure out which folder to attach it to?

thanks



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: shemp9999 on Aug 20, '03 01:33:03PM

i got like 53 mails from one domain (ironically, that domain was chandon) yesterday.

i gleaned the host IP address from the mail headers (they all originated from the same host) and let them know they had a problem.

the mails stopped coming in after a couple of hours...



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: EbeX on Aug 20, '03 01:49:44PM

Really? Delete all emails ending in "Approved"? What about my online loan application? Seriously, that seems like on overreaching mail rule. Although I must admit, I don't have a better solution.



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: seb2 on Aug 20, '03 08:13:03PM

Well, for one thing, you could do the following:

Add an extra rule for "Approved", and set it to "when all conditions are met".
When editing the rule, add a new criterion, in the popup menu on the left, click on "Edit Header List" and manually add the two following headers: "X-Mailer" and "Content-Type". Then add the two criteria '"X-Mailer" contains "Outlook"' and '"Content-Type" contains "multipart/mixed"', that will filter out messages sent by outlook that contain an attachment (or are HTML).



[ Reply to This | # ]
Now, what you really want to do is this.
Authored by: nevyn on Aug 20, '03 02:18:46PM

Now, what you really want to do is this. Make the rule have all the messages go to a specific folder. Wait for a few hours or maybe a day. You should now have about a hundred of Sobig spam mails. Quickly look through the subjects and make sure none of them are legitimate mails actually adressed to you. When done with that, select all the mails in the folder.

Now.

Press, "Mark this as Junk". (or through context menu).

You should now never have any problems with Sobig spam again.

(Yes, all 150 mails I've gotten past 24 hours have came from the same machine. Tried reporting it to the ISP, but they weren't listening.)

---
?



[ Reply to This | # ]
Try this instead
Authored by: whatev on Aug 20, '03 03:28:38PM

I think this rule is useful but perhaps too overarching.

Instead, look for attachments which end in .pif or .scr - since these are Windows-specific and CANNOT work on Macs, AND since they are much more likely to be viruses anyway, they're probably safe to delete. (Unless you're a Windows developer reading mail on a Mac...I know, riiiight.)

For the curious: .pif are DOS commands, and .scr are scripts.



[ Reply to This | # ]
Try this instead
Authored by: filburt1 on Aug 20, '03 07:00:43PM

.scr files are screen savers, not scripts. Screen savers in Windows are really normal programs with a different extension and that take different command-line arguments.



[ Reply to This | # ]
Try this instead
Authored by: mprewitt on Aug 22, '03 09:25:34AM

Indeed the viruses do come with .scr (screen saver) and .pif (program information file) extensions. It just so happens that both of these are common containers for viruses -- they are both executible, although I am not sure how the .pif one works, since it usually redirects to a DOS program. But unquestionably they are both very common in virus messages, not just the current SoBig variety.



[ Reply to This | # ]
Try this instead
Authored by: GaelicWizard on Aug 21, '03 02:03:25AM

and .pif files are "program information files" they contain information about dos commands (and can contain scripts, afaik) but are not actually dos commands...

---
Pell



[ Reply to This | # ]
Try this instead
Authored by: mprewitt on Aug 22, '03 09:26:43AM

Ditto to what I said to the previous post in the thread.



[ Reply to This | # ]
Try this instead
Authored by: JHromadka on Aug 21, '03 10:22:39AM

How do you do this in mail? I can't figure out how to tell it to mark messages with a particular attachment (i.e. .PIF) as Junk and delete it.



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: JJ on Aug 20, '03 06:45:02PM

Apart from my email program not being able to filter on "Subect"...

if you filter any Subject ending on "Details", then also checking for Subjects ending on "My details" and "Your details" is redundant, unless the filter is case-sensitive

Checking this in combination with the names of the attachment this virus uses would also be much safer



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: rusto on Aug 21, '03 01:19:23PM

Say you didn't want to filter out emails with "other details", then setting a rule for subjects ending in "details" would not work: it would filter the good along with the bad.



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: jason.flores on Aug 20, '03 07:00:34PM

Have a similar problem. I look for a paticular part of the mime encoded attachment. If it is there I delete the message.

So I set to check message content for the following string:

TVqQAAMAAAAEAAAA

Look at the raw source of the message, that string above is the first part of the encoded attachment.

My wife has been getting a message for the last couple of days with a lot of different subjects, from addresses, and attachment file names and extensions (so far .scr, .pif and .exe). Searching for the above has grabbed everyone sofar (over 200 now).



[ Reply to This | # ]
A variant
Authored by: tomem on Aug 20, '03 07:54:14PM

I'm trying a rule that looks for a "from" field that begins with "<" and ends with ">", moving them to the junk mail folder for checking. It appears to me that all of these messages are of that form, rather than having a real name in addition to an email address. This seems to work, and I see hardly any real messages of that form...

---
TomEM
Crofton, MD



[ Reply to This | # ]
Gotta disagree with this one...
Authored by: Crawfish Jones on Aug 21, '03 12:57:41PM

Those subject lines are too short and too generic to set up an automatic filter with. You're going to automatically delete a message that has the word "Details" in the subject? That's crazy!

At least add a Custom Header to filter on named "Attachments", and only filter the messages with both the word in the subject line AND say "There is 1 attachment" in the Attachments header.

However, I am getting far more bouncebacks where my email address has been spoofed than direct virus emails, and most of the bouncebacks don't have the aforementioned keywords in the Subject line.

It's too bad Mail can't filter on the name of the attachment.



[ Reply to This | # ]
Create a Sendmail rule to block the w32.sobig.f spam worm
Authored by: Trunkmonkey on Aug 21, '03 05:22:19PM

And, for you Sendmail geeks:

HSubject:	$>Check_Subject
D{MMsg}Possible virus detected.  Email rejected due to a Subject: that viruses commonly use.  Please change your Subject: and re-send.  Thank you.
SCheck_Subject

R$* ILOVEYOU $*					$#error $: "550 ${MMsg}"
RA funny game $*				$#error $: "550 ${MMsg}"
RA special nice game $*				$#error $: "550 ${MMsg}"
RHappy Allhallowmas $*				$#error $: "550 ${MMsg}"
RHave a good Allhallowmas $*			$#error $: "550 ${MMsg}"
RW32 . Klez . E removal tools $*		$#error $: "550 ${MMsg}"
RRe : Approved					$#error $: "550 ${MMsg}"
RRe : Details					$#error $: "550 ${MMsg}"
RRe : Re : My details				$#error $: "550 ${MMsg}"
RRe : Thank you !				$#error $: "550 ${MMsg}"
RRe : That movie				$#error $: "550 ${MMsg}"
RRe : Wicked screensaver			$#error $: "550 ${MMsg}"
RRe : Your application				$#error $: "550 ${MMsg}"
RThank you !					$#error $: "550 ${MMsg}"
RYour details					$#error $: "550 ${MMsg}"


[ Reply to This | # ]
Create a Sendmail rule to block the w32.sobig.f spam worm
Authored by: leebennett on Aug 21, '03 08:15:00PM
You don't need all these rule conditions. I've described here that you only need to set a rule to look for the bogus header, X-MailScanner: Found to be clean. Then, just set its action to delete the message.

[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: leebennett on Aug 21, '03 08:16:17PM
You don't need all these rule conditions. I've described here that you only need to set a rule to look for the bogus header, X-MailScanner: Found to be clean. Then, just set its action to delete the message.

[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: mprewitt on Aug 22, '03 09:37:06AM

Cool. Assuming this header is not used by legitimate email (which I am fairly confident it is not), this hint is the king -- at least as far as this particular worm is concerned.



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: bignumbers on Aug 25, '03 10:31:50AM
Please note that this IS a perfectly legit header used by the "mailscanner" program. If your mail server uses (or in the future installs) mailscanner, this will flag every "good" message as having the virus. The virus author inserted it as a rouse to try to bypass mailscanner (which it does not). More info at: http://www.sng.ecs.soton.ac.uk/mailscanner/sobig.html I also think the same header is used by SpamAssassin, and could result in the same mass false-positive.

[ Reply to This | # ]
Simpler Rule
Authored by: Diggory on Aug 22, '03 06:09:08AM
Go to "Edit Header List..." in the Mail.app rules prefpane.

Add "Content-Type" to the list of headers.

Set this rule:
Content-Type Contains: boundary="_NextPart_000_

---
*****
monkeyfood software - http://www.monkeyfood.com

[ Reply to This | # ]

Create a Mail rule to block the w32.sobig.f spam worm
Authored by: wOOge on Aug 25, '03 11:03:44AM

I use the following Rule:
--------
if ALL of the following are met:
Content-Type - Begins with - multipart/mixed
X-Mailer - Contains - Microsoft
Subject - Contains - Re:
Sender is not in my Address Book
----------
By meeting ALL of the requirements, it's *less likely* that a valid e-mail from someone i know, will be tagged...

Then i have it moved to a folder where i can evaluate it's likeliness as a virus, and apply the "This is Junk" setting to them.

---
--

wOOge
http://mac.axonz.com



[ Reply to This | # ]
My variant of the rule...
Authored by: wOOge on Sep 05, '03 10:30:33AM
[As I posted on axonz.com]

I created a simpler mail rule to filter out the junk.You will need Apple Mail.app for Mac OS X for this tip, but you could apply the same technique to other mail clients.

To be on the safe side:
Create a new mailbox subfolder called "Suspected Viruses" so that tagged mail can be stored there, and later quickly see if valid e-mail was tagged, and then delete/mark as junk the rest.

Now to create the rule:
  • Open Mail.app's preferences, and click on rules
  • Create a new rule and call it what ever you want (i called it "Mr. Clean")
  • Add the following 2 new headers to the headers list:
    • X-Mailer
    • Content-Type

  • Next make the following changes to the rule (omit quotes):
    • if ALL of the following are met:
    • Content-Type > Begins with > "multipart/mixed"
    • X-Mailer > Contains > "Microsoft"
    • Subject > Contains > "Re:"
    • Sender is not in my Address Book

  • Set the action to transfer the tagged mail to the "Suspected Viruses" mailbox created in step one.

Save and close the rule, and preferences.

What will this do?
This rule will check to see if the unwanted e-mail was sent from a PC, with multiple formats included (attachments) with the word "Re:" in the subject (as most of the most recent viruses do), and ensure that the e-mail is not from someone in you're address book.

Since it's unlikely that someone you know will use a foreign e-mail address to send you a file, this rule is quite effective.

YMMV - Good Luck!



[ Reply to This | # ]