Re: [Exim] Nimda Worm

Top Page
Delete this message
Reply to this message
Author: bradley
Date:  
To: ice
CC: wash, exim-users
Subject: Re: [Exim] Nimda Worm
Hello ...

We got the following ...

if "$message_body" contains "T-V-q-Q-A-A-M-A-A-A-A-E-A-A-A-A" then
logfile /var/log/exim/exim_filterlog
logwrite "$tod_log nimda $message_id $sender_address ($sender_host_name
[$sender_host_address]) => $header_to subject=$header_subject"
seen finish
endif


Remove the -'s gotta do that or this message gets filtered ;-)

Improvements comments welcome.

Bradley

PS. I sent you a copy of the virus...


> On Wed, 19 Sep 2001, Odhiambo Washington wrote:
>
> > I was wondering if anyone has been hit hard enough by this NIMDA
> > worm and has come up with a filter for it.
>
> try this (based on info from a local list):
>
> if
> $h_content-type: contains "multipart\/related" and
> $h_content-type: contains "type=\"multipart\/alternative\";" and
> $h_content-type: contains "boundary=\"====_ABC1234567890DEF_====\""
> then
> save /var/mail/rejected_messages/nimda/
> fail text "whatever\n"
> seen finish
> endif
>
> this is my first filter, also thrown together in a hurry,
> comments/improvements are welcome..
>
> also i don't have nimda (could please someone send me one?), but it
> stops a message hand-crafted according to the info on the
> abovementioned info.
>
> --
> [-]
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##