Re: [Exim] badtrans virus

On Mon, 3 Dec 2001, [iso-8859-2] £ukasz Grochal wrote:

> From the above I deduce that we are talking about the new BadtransII
> or in other words - the newest mutation of the virus, the one whose
> breakout we all - as I can see - now observe. And if so, then notifying
> the sender is meaningless, the sender address is mangled by the virus,
> typically by adding an '_' in front of it.

The envelope sender looks just fine, and that's where the rejection
message (provoked from a 'fail' in the system filter) is going. We
seem to be transmitting the rejection report successfully in most
cases, though whether the senders ever actually get them I neither
know nor do I really care - AFAICS we've done our duty by launching
the rejection report.

I haven't yet spotted a report where the header From: didn't match
the 'envelope from' with an underscore inserted ahead of it. Looks to
me as if the various virus information sites are saying the same
thing.

By the way, we were already rejecting the thing from the start, thanks
to the generic rejection of active-type attachments (i.e based on the
filter recipe distributed from the exim web site). There was no need
for us to write a new recipe to catch it.

cheers