Re: [EXIM] A filter for Malissa?

Top Page
Delete this message
Reply to this message
Author: Ken Bailey
Date:  
To: exim-users
Subject: Re: [EXIM] A filter for Malissa?
Hi

Having received our first wild Melissa I have rewritten the filter
slightly as there was a typo in the original! I suggest you to scan
your logs if you just cut and paste my example.

#
if $header_Subject contains "Important Message From" and
   $message_body contains
   "Here is that document you asked for ... don't show anyone else" then
#                                      ^ 
#   "Here is that document you asked for... don't show anyone else" then
   testprint "Melissa header and body part seen from $sender_address"
   freeze text
   "Melissa header and body part  seen. \n \
    Message may contain Melissa Word Macro Virus\n $message_headers"
endif
#


I have also increased the configuration value of message_body_visible
from the default of 500 as when we tested the filter internally the
addition of a lot of forwarding information by one MUA from the
headers to the body of the message buried the tell-tale body part.

Given the announcement about polymorphism for word Macro virii
http://www.geek-girl.com/bugtraq/current/1190.html
we are fighting a rapidly losing battle.....

Happy Easter

Ken 
-- 
# Ken Bailey, Computer Section,   # Internet: K.Bailey@??? #
# The Royal Botanic Gardens, Kew, #      Tel: +44 (0)181 332 5729    #
# Richmond, Surrey, TW9 3AE, UK   #      Fax: +44 (0)181 332 5736    #


--
*** Exim information can be found at http://www.exim.org/ ***