yes,
if $message_body contains "Content-ID: <EA4DMGBP9p>" and
$sender_address is not "" and
$message_body contains
"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A" and $recipients does not contains "YourName@YourDomain"
then
# Do something usefull
freeze
endif
Replace "YourName@YourDomain" with the sender address of the virus alert
message (if you send some), otherwise you maybe raise a mail loop.
As far as I have seen the bt virus don't forge the envelope sender, so it is
a good idea to send a virus alert to the envelope sender.
Also the following configuration settings are usefull (necessary):
# Systemfilter configuration
message_filter = /usr/local/exim/exim.filter
message_filter_file_transport=address_file
message_filter_reply_transport=address_reply
message_body_visible=5000
# (A high value, 1000 Bytes should be enough.)
And remember:
Filter like this one will react on messages like this one ...
:-)
regards
Oliver
> Hi Guys,
>
> Just wondering is anyone has written a successful filter to block the
> badtrans virus.
> I've written a VERY crude one (shown below) which has very limited and
> marginal success.
>
> cheers
> Todd
>
> #Badtrans
> if $message_body contains "TVqQAAMAAAAEAAAA//"
> then fail text "Your machine appears to be affected with the
> W32.Badtrans.B@mm worm."
> endif
> # End Badtrans
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
