Re: [Exim] badtrans virus

Top Page
Delete this message
Reply to this message
Author: Oliver Egginger
Date:  
To: Todd Lattimer
CC: exim-users
Subject: Re: [Exim] badtrans virus
yes,

if  $message_body contains "Content-ID: <EA4DMGBP9p>" and
    $sender_address is not "" and
    $message_body contains
 "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A" and $recipients does not contains "YourName@YourDomain"
    then
#    Do  something usefull
freeze
endif


Replace "YourName@YourDomain" with the sender address of the virus alert
message (if you send some), otherwise you maybe raise a mail loop.
As far as I have seen the bt virus don't forge the envelope sender, so it is
a good idea to send a virus alert to the envelope sender.

Also the following configuration settings are usefull (necessary):

# Systemfilter configuration
message_filter = /usr/local/exim/exim.filter
message_filter_file_transport=address_file
message_filter_reply_transport=address_reply
message_body_visible=5000
# (A high value, 1000 Bytes should be enough.)


And remember:
Filter like this one will react on messages like this one ...
:-)

regards
Oliver


> Hi Guys,
>
> Just wondering is anyone has written a successful filter to block the
> badtrans virus.
> I've written a VERY crude one (shown below) which has very limited and
> marginal success.
>
> cheers
> Todd
>
> #Badtrans
> if $message_body contains "TVqQAAMAAAAEAAAA//"
> then fail text "Your machine appears to be affected with the
> W32.Badtrans.B@mm worm."
> endif
> # End Badtrans
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##