Saturday, January 31, 2004

Not *my* doom

You've probably heard about the MyDoom virii going around... I've noticed a general slowing of the network in the last couple of days, and I received a bunch of copies of the virus (neutered by my antivirus program) before I finally wrote a filter to weed the damn things out at the server.

If you haven't heard of it: MyDoom sends you an email with an official-looking subject line, and some innocuous text. There's an attachment, however, that (if you are foolish enough to open it) will infect your system and begin sending copies of itself to others, possibly by harvesting email addresses from your machine. (What a great gift for your friends.)

If you practice safe computing, this probably isn't a problem for you. If you use Outlook or Internet Explorer to read your mail on a Windows machine, you could be infected and not know it. (But actually, if you still use those two programs to read email after all of the shit that has gone down in the past few years, you are part of the problem anyway.) If you've noticed your computer slowing down over the past couple of days, or if your cable modem lights have been flashing like crazy, or if you just want to be sure your computer is clean, Network Associates (makers of McAfee antivirus) has a free program to find and kill these virii. (You should already be running antivirus programs, and not clicking on suspect emails, anyway... but it's nice of them to offer this little tool).

If you don't know what a procmailrc is, skip this next bit. If you do, this recipe has so far been 100% successful blocking the virus, with zero false positives (but YMMV, depending mostly on whether you often receive small attachments).

Modify as needed for your system (I use Maildirs rather than mboxes, for instance), and if any matches in the recipe have a high probability of blocking legitimate emails (for example if your work sends you a '' file regularly or somesuch), add a recipe above this one to filter that out... don't delete any one match (e.g. deleting 'data' and 'zip' from the recipe would open up 40 other combinations).