Re: [Exim] W32/Sircam worm

Top Page
Delete this message
Reply to this message
Author: Felipe
Date:  
To: woods
CC: Exim Users Mailing List
Subject: Re: [Exim] W32/Sircam worm
I'm experiencing a big problem with W32/Sircam, many of mails are sent with
that worm
and I wish to implement these filter..
Can you explain me how to do it?.. please..

In witch part of configure file must I put thise filter??


Greetings

Felipe


----- Original Message -----
From: "Greg A. Woods" <woods@???>
To: <exim-users@???>
Sent: Tuesday, July 24, 2001 12:43 PM
Subject: Re: [Exim] W32/Sircam worm


> [ On Tuesday, July 24, 2001 at 09:26:17 (-0700), Mark Morley wrote: ]
> > Subject: Re: [Exim] W32/Sircam worm
> >
> > Personally I don't like using the generic filter for viruses (I see too
> > many false positives).
> >
> > Yesterday I added this to my filter and in less than 24 hours it's
> > caught over 4,100 copies of the Sircam virus:
> >
> >      if "$message_body" contains "Hi! How are you" and
> >         "$message_body" contains "See you later" and
> >         "$message_body" contains "TVpQAAIAAAAEAA8A" then
> >         seen finish
> >      endif

> >
> > It's probably not foolproof, but it's working here with no false

positives
> > so far (I was getting false positives until I added the third check,

which
> > is just the first few bytes of the MIME encoded attachment).
>
> That's because you didn't include the MIME encoded characters in the
> first two lines.
>
> Have you actually seen examples of the worm message without the "advice"
> line I used in my test?
>
> --
> Greg A. Woods
>
> +1 416 218-0098      VE3TCP      <gwoods@???>     <woods@???>
> Planix, Inc. <woods@???>;   Secrets of the Weird <woods@???>

>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim

details at http://www.exim.org/ ##
>