At 9:45 +1100 12/3/2001, Todd Lattimer wrote:
>Just wondering is anyone has written a successful filter to block the
>badtrans virus.
>I've written a VERY crude one (shown below) which has very limited and
>marginal success.
I'm having reasonable luck with looking for a From: header where the local
part starts with _ in a message where the envelope sender local part does
not start with _ (and another criterion or two). This is rather tender; a
slight variation in the worm will break it (but that's true of looking for
signature byte strings in the viral code, as well).
if $header_from: contains <_ and $sender_helo_name is aol.com then
logfile /logs/exim/exim_newvirus
logwrite "$tod_log $header_from: sent the new virus to $header_to:"
if $sender_address_local_part begins _ then
freeze
else
# actions here for the worm
endif
endif
I'm freezing the leading underscore/leading underscore case so I can
examine some...so far there haven't been any, but someone somewhere must
have such a local part.
AOL is innocent, but the worm uses aol.com for the helo data.
--john (anxious to get our Sophos-based scanner going)
--
John Baxter jwblist@??? Port Ludlow, WA, USA
