In the beginning I was doing something similar.
(I only caused a virus alert for a "aol.com" message if the envelope sender was a local one.)
But then I realized that the bt virus didn't have always the "aol.com" in the "helo".
You don't catch them all this way.
regards
Oliver
> At 9:45 +1100 12/3/2001, Todd Lattimer wrote:
> >Just wondering is anyone has written a successful filter to block the
> >badtrans virus.
> >I've written a VERY crude one (shown below) which has very limited and
> >marginal success.
>
> I'm having reasonable luck with looking for a From: header where the local
> part starts with _ in a message where the envelope sender local part does
> not start with _ (and another criterion or two). This is rather tender; a
> slight variation in the worm will break it (but that's true of looking for
> signature byte strings in the viral code, as well).
>
> if $header_from: contains <_ and $sender_helo_name is aol.com then
> logfile /logs/exim/exim_newvirus
> logwrite "$tod_log $header_from: sent the new virus to $header_to:"
> if $sender_address_local_part begins _ then
> freeze
> else
> # actions here for the worm
> endif
> endif
>
> I'm freezing the leading underscore/leading underscore case so I can
> examine some...so far there haven't been any, but someone somewhere must
> have such a local part.
>
> AOL is innocent, but the worm uses aol.com for the helo data.
>
> --john (anxious to get our Sophos-based scanner going)
