[cobalt-security] Klez virus, sircam virus

[David Lucas <david@xxxxxxxxxxxxxxxx>]

I have been hit hard in the past by the sircam virus.
I am currently being hit hard by the Klez virus.

I was given a procmail recipe for the sircam months ago and I now have one 
for the Klez.

Since I started using the sircam recipe I have not received a single sircam 
virus.
Since I started using the Klez recipe I have confirmed 182 out or 182 
emails with the Klez.  Now they go to /dev/null.  I have only had one get 
through, that is better than 50 per day.

I was asked to post the procmail recipes for others.  I am not a procmail 
user by choice, but by necessity.  I do not really understand them except 
to say they are helping me.

Here is my procmailrc file that is in my /etc directory.  It may not make 
to to everyone due to the sircam text.
I have removed a piece of the sircam script as it sends an email to the 
sender telling them their computer is infected and a link to an anti-virus 
site.

************************start of procmailrc ************************

SHELL=/bin/csh
LOGFILE=/var/log/procmail.log



:0
* 1^0 ^Content-Type:/*(multipart|attachment)
* 1^0 B ?? Hi\! How are you(\?|=3F)
* 1^0 B ?? I send you this file in order to have your advice
* 1^0 B ?? See you later (\.|=2E) Thanks
* 1^0 B ?? Hola como estas *\?
* 1^0 B ?? Te mando este archivo para que me des tu punto de vista
* 1^0 B ?? Nos vemos pronto, gracias\.
* 1^0 B ?? I hope you like the file that I send( t)?o you
* 1^0 B ?? This is the file with the information that you ask for
{
  :0
 /dev/null
}



:0
* ^Content-Type:.*(multipart|attachment)
{
 :0B
 * > 50000
 * ^Content-Type:[ 	]*(audio/x-|application)
 * 1^0 ()<i?frame[ 	]*src=(3d)?cid:
 * 1^0 ^--[^ ]+$$Content-
 * 1^0 ^--[^ ]+$--[^ ]+$
 /dev/null
}

************************end of procmailrc ************************