RSS

[Tip] ILOVEYOU Worm Sendmail Rules (2000)

jruohonen1 pts0 comments

[Tip] ILOVEYOU worm sendmail rules

[Tip] ILOVEYOU worm sendmail rules

Contributed by<br>Dengue<br>on 2000-05-05<br>from the lowest-common-denominator dept.

I wouldn't say I have a lot of sympathy for people who've been bitten by the ILOVEYOU worm.

[Updated mc file available]

[Updated yet again to handle the .F, .G, & .I variants]

Let's face it, if you click on anything attached to an email reading:

"kindly check the attached LOVELETTER coming from me."

[ Part 2, Application/OCTET-STREAM (Name: ]<br>[ "LOVE-LETTER-FOR-YOU.TXT.vbs") 10KB. ]<br>[ Cannot display this part. Press "V" then "S" to save in a file. ]

You are naive and stupid.<br>Hey, brother, I have a BRIDGE I'd like to sell you.

I won't even go there about the Outlook mail client.

But I recognize that some of us are responsible for some of them, so courtesty of<br>BUGTRAQ<br>and<br>SENDMAIL<br>I present for you a modified

openbsd-proto.mc

that you can use to regenerate your<br>/etc/sendmail.cf<br>or<br>/etc/mail/sendmail.cf<br>. to do that:

m4 openbsd-proto-iloveyou.mc > sendmail-new.cf<br>cp /etc/sendmail.cf /etc/sendmail.bak<br>cp sendmail-new.cf /etc/sendmail.cf<br>kill -HUP `head -1 /var/run/sendmail.pid`

I recommend checking the maillog to make sure sendmail restarted correctly, and then testing the ruleset. You should see something like this:

May 5 04:52:25 eris sendmail[32355]:<br>restarting /usr/sbin/sendmail on signal<br>May 5 04:52:25 eris sendmail[13476]:<br>starting daemon (8.9.3): SMTP+queueing@00:30:00<br>May 5 04:52:39 eris sendmail[24874]: EAA24874:<br>ruleset=Check_Subject,<br>arg1=ILOVEYOU, relay=dengue@localhost, reject=553<br>This message may contain the LoveLetter virus.<br>May 5 04:52:39 eris sendmail[24874]: EAA24874:<br>from=

, size=365, class=0, pri=30365, nrcpts=1,<br>msgid=<br>,proto=ESMTP, relay=dengue@localhost

Now keep in mind, this is a<br>BRAINDEAD&reg;<br>solution to this, since all you have to do to defeat it is change the subject line. A better fix would be attachment content scanning. I encourage everyone to submit better rulesets, and I will post them here.

This solution was built and tested on Sendmail 8.9.3 on OpenBSD 2.6. YMMV

-jim

(Comments are closed)

Comments

Does anyone have a snort rule for this yet?

It seems that other one are coming... They look like derivatives from the "ILOVEYOU" virus. Just prepare for another round of mail viruses.

Source: http://www.nai.com/asp_set/about_nai/press/releases/pr_template.asp?PR=/PressMedia/05042000-E.asp&Sel=750

I won't even go there about the Outlook mail client.

I will. If you went to an IS manager and told them "I'm going to install client software on all of your desktops that introduces subtle and frustrating inconsistencies into the way it handles the protocols it are supposed to be implementing. As an added bonus, this client will allow perfect strangers to send arbitrary code to it from anywhere, which it will then execute without reference to any sort of security model."

Strangely, they said yes. The fact that Outlook (or Active X within a browser) does this is just too farfetched I guess.

Back in - 1995? I think? - I remember getting a couple of panicked messages from people who had received the "Good Times" virus hoax message. I reassured them that although it was good to be cautious, there was no chance that a virus like this could exist. I'm thinking somehow Good Times got included in the requirements doc for MS Outlook by mistake, and they went ahead and built something that would make it possible.

Latest Articles

Wed, May 2705:56<br>LibreSSL 4.3.2 released<br>(0)

Sat, May 2311:51<br>Game of Trees 0.126 released<br>(0)

Tue, May 1913:27<br>OpenBSD 7.9 Released<br>(1)

Sat, May 1606:46<br>Migrating mail servers from exim to OpenSMTPD (smtpd) is fun and useful<br>(0)

Wed, May 1306:49<br>Automatic expiry at timeout for pf(4) overload tables<br>(0)

Tue, May 1211:52<br>Let's find out how to get predictable IPv6 addresses assigned to OpenBSD VMs<br>(0)

05:26<br>Game of Trees 0.125 released<br>(0)

Mon, May 1120:20<br>Recent downtime<br>(2)

Mon, Apr 2008:58<br>LibreSSL 4.3.1 released<br>(0)

Credits

Copyright &copy;<br>2004-2008<br>Daniel Hartmeier.<br>All rights reserved.<br>Articles and comments are copyright their respective authors,<br>submission implies license to publish on this web site.<br>Contents of the archive prior to<br>April 2nd 2004 as well as images<br>and HTML templates were copied from the fabulous original<br>deadly.org with<br>Jose's and<br>Jim's kind permission.<br>This journal runs as CGI with<br>httpd(8)<br>on OpenBSD, the<br>source code is<br>BSD licensed.<br>undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]

sendmail from iloveyou openbsd mail released

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Naphtha Shortages Having a Growing Impact in Japan

takakaze13 ptsnaphtha packaging products shortages calbee from
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.