Hi
Using exim 2.04 I set up the following. Works well for orginal messages
but if I bounce a message (ie resend it) it gets through. The SUBJECT
header is still "ILOVEYOU" on a resend/bounce. All the original headers
are there plus some "Resent-*" headers. I went and was reading through
the 2.0 docs and didn't see anything there to catch this?
Thanks
Chad
--On Thursday, May 4, 2000 1:09 PM +0100 Richard Leyton <richard@???>
wrote:
> Hi all,
>
> F-Secure have a good description: http://www.fsecure.com/v-descs/love.htm
>
> Here's the one i've dropped in for this incident, and another recent
> virus which resulted in 'Check this' e-mails zooming about:
>
> # Exim filter
> if $h_subject begins "Check this" and not error_message
> then
> fail text "you appear to have a virus on your PC. Check your
> system."
> endif
>
> if $h_subject begins "ILOVEYOU" and not error_message
> then
> fail text "you appear to have a virus on your PC (see
> http://www.fsecure.com/v-descs/love.htm). Check your system, or rephrase
> the subject"
> endif
>
> with, of course, the following configuration entry:
>
> ###
> # System filter
> ###
> message_filter = /usr/exim/filters/central-filter
>
> Nasty little beast this. Looking at the logs, we've stopped distribution
> of this virus by two individuals already...
>
> Well worth doing, as it sounds like this virus is tearing it's way
> around the internet at the moment.
>
> Regards,
>
> Richard.
>
>
>
> On Thu, May 04, 2000 at 01:01:44PM +0100, Jeffrey Goldberg wrote:
>> On Thu, 4 May 2000, Georg v. Zezschwitz wrote:
>>
>> > as I've nether worked with Exim Mailfilters so far, as anybody
>> > a line of filter code ready to drop the "I LOVE YOU"-virus?
>>
>> This is my first system filter, and I did have trouble with a more
>> complex condition so settled on
>>
>> ====================================
>> # Exim filter
>>
>> #if ($message_body CONTAINS "LOVE-LETTER-FOR-YOU.TXT.vbs" and
>> # $message_body_size is above 5k) then
>> # freeze
>> #endif
>>
>> if ($h_subject: IS ILOVEYOU) then
>> freeze text "Suspected ILOVEYOU virus"
>> endif
>> ====================================
>>
>> But we are a relatively small site so can deal with false positives.
>>
>> If others produce better filters, please post.
>>
>> -j
>>
>> --
>> Jeffrey Goldberg +44 (0)1234 750 111 x 2826
>> Cranfield Computer Centre FAX 751 814
>> J.Goldberg@???
>> http://WWW.Cranfield.ac.uk/public/cc/cc047/ Relativism is the triumph
>> of authority over truth, convention over justice.
>>
>>
>> --
>> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
>> details at http://www.exim.org/ ##
>
> --
> Richard Leyton | http://www.beenz.com - The web's currency.
> mailto:richard@beenz.com | Public (OpenPGP) Key #C603EEB7
> Tel: +44 (0)207 886 0732 |
Pengar Enterprises, Inc. and Shire.Net LLC
Web and Macintosh Consulting -- full service web hosting
Chad Leigh
chad@??? chad@???
