J.Goldberg@??? said:
> Regarding a new Word macro virus W97M.Malissa, which has the effect of
> sending chain mail
[...]
> does anyone have an Exim global filter for this?
Its very easy to do one - something like
if $h_subject begins "Important Message From "
then
fail "Message probably contains Melissa-Macro-Virus - see
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html for
details"
endif
in the system filter file. However this is likely to be subject to
false positives - I am sure a couple of messages I received in the last
year from the less computer literate management (or rather their
secretaries) would have triggered this. If the virus is widespread
then the false positives are worth it, if not then I would be tempted
to maybe add a rule like this to log a comment and see what the
prevelance is - or if you log subject you could quickly grep your logs
to see if it will hit.
Incidently I did a similar filter for the Happy99.exe worm - same sort
of length and config, but it had the advantage that Happy99 puts a
particular header into a message so detecting it gets rather fewer
false positives. You should be able to work out whats needed from the
anti-virus products web sites, but if you want me to provide the recipe
then contact me and I'll look it it out.
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
--
*** Exim information can be found at
http://www.exim.org/ ***
