The filter published at
www.exim.org will reject the Nimda worm because of the
.exe file extension. I don't use that but put in a simple filter to diver
anything with readme.exe in the body to postmaster. That trapped 8 copies in 24
hours and am surprised there were so few. On the basis of those 8 I revised my
filter again and am now using:
if $message_body matches "name=\"{0,1}readme\\\\.exe"
then
if $message_body CONTAINS "====_ABC1234567890DEF===="
then
fail text "This message has been rejected because it has the signature\n\
of the W32.Nimda.A viru/worm in it"
seen finish
else
deliver postmaster
endif
endif
All 8 copies used the same MIME boundary so I used that in the filter. I should
still cature other varients which are using the same filename.
Phil.
---------------------------------------
Phil Chambers (postmaster@???)
University of Exeter
