Re: [Exim] Tracking SirCam (fwd) with 'date:' header

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJim Tittsler at <-
MSheldon Hearn at ->
Delete this message
Reply to this message
Author: Alan Thew
Date:  
To: Jim Tittsler
CC: Exim Users Mailing List
Subject: Re: [Exim] Tracking SirCam (fwd) with 'date:' header
Has anyone tried this with W32/Magistr-A which appears to use FROM and
SUBJECT 

-- 
Alan Thew                                       alan.thew@???
Computing Services,University of Liverpool      Fax: +44 151 794-4442


On Fri, 27 Jul 2001, Jim Tittsler wrote:

> On Thu, Jul 26, 2001 at 01:05:35PM -0500, Felipe wrote:
> > Alan Thew quoted a securityfocus posting:
> > > In the header of the message, everything looks dynamic, and so tracking it
> > > seems to be hard. However, there is a slip -- the Date: header actaully
> > > appears as 'date:'.
>
> > How can I compouse the right filter...?
>
> Perhaps a filter stanza like:
>
> # The W32/Sircam virus is sending messages with lower case date: headers
> if $message_headers CONTAINS "\ndate: "
> then
>     freeze text "Suspect W32/Sircam virus message"
> endif

>
>
> (The upper-case CONTAINS makes the string comparison case
> sensitive.)
>
> --
> Jim Tittsler, Tokyo
> Python Starship     http://starship.python.net/crew/jwt/

>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Help with a clever guy![Exim] Re: Help with a clever guy!->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)