Hello ...
We got the following ...
if "$message_body" contains "T-V-q-Q-A-A-M-A-A-A-A-E-A-A-A-A" then
logfile /var/log/exim/exim_filterlog
logwrite "$tod_log nimda $message_id $sender_address ($sender_host_name
[$sender_host_address]) => $header_to subject=$header_subject"
seen finish
endif
Remove the -'s gotta do that or this message gets filtered ;-)
Improvements comments welcome.
Bradley
PS. I sent you a copy of the virus...
> On Wed, 19 Sep 2001, Odhiambo Washington wrote:
>
> > I was wondering if anyone has been hit hard enough by this NIMDA
> > worm and has come up with a filter for it.
>
> try this (based on info from a local list):
>
> if
> $h_content-type: contains "multipart\/related" and
> $h_content-type: contains "type=\"multipart\/alternative\";" and
> $h_content-type: contains "boundary=\"====_ABC1234567890DEF_====\""
> then
> save /var/mail/rejected_messages/nimda/
> fail text "whatever\n"
> seen finish
> endif
>
> this is my first filter, also thrown together in a hurry,
> comments/improvements are welcome..
>
> also i don't have nimda (could please someone send me one?), but it
> stops a message hand-crafted according to the info on the
> abovementioned info.
>
> --
> [-]
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##