--
On Mon, Jun 03, 2002 at 09:34:51AM -0400, Greg Ward wrote:
| On 01 June 2002, dman said:
| > The only identifying feature of this mail is the (rather worthless)
| > body :
| >
| > | *** A virus was detected by the security administrator; this message was
| > | discarded ***
|
| Yes, it's somewhat less than helpful.
|
| > Was this really split on 2 lines in the original? If so that makes it
| > a bit more complicated ... hmm, not much since exim compresses
| > newlines into whitespace, a regex could easily handle that (but it
| > would get ugly fast if you allow for variations in the line breaks).
|
| No, I munged it. Oops.
Good. That simplifies it :-).
| > In the "data" acl :
| >
| > deny condition = ${if contains {$message_body} {"*** A virus was detected by the security administrator; this message was discarded ***"} {1}{0}}
| > message = "I hate stupid virus alerts. I don't have a virus, don't alert me!"
|
| But that only protects against this one particular stupid virus
| detector.
Yeah, regardless of what host it is forging :-).
| This is not the first one I've seen that, when sending a
| virus warning to X@???, forges a sender of
| postmaster@???.
Are they really different scanners or the same junkware on different
hosts?
| That's just so utterly completely wrong that I want to ban it
| completely.
Good plan :-).
| My original ACL:
|
| deny hosts = !127.0.0.1
| senders = postmaster@???:\
| postmaster@???:\
| webmaster@???:\
| webmaster@???
| message = forged sender address
|
| seems to work just fine, although I do plan to elaborate it somewhat.
Oh, you're the postmaster for python.org? That keeps the number of
"bogus" domains from growing rapidly. I still think the content check
is good to have since it can (possibly) drop extra junk too.
-D
--
Come to me, all you who are weary and burdened, and I will give you
rest. Take my yoke upon you and learn from me, for I am gentle and
humble in heart, and you will find rest for your souls. For my yoke
is easy and my burden is light.
Matthew 11:28-30
GnuPG key :
http://dman.ddts.net/~dman/public_key.gpg
--
[ Content of type application/pgp-signature deleted ]
--