[Exim] DATA ACL to catch W32.Sobig.E

Top Page
Delete this message
Reply to this message
Author: Tabor J. Wells
Date:  
To: exim-users
Subject: [Exim] DATA ACL to catch W32.Sobig.E
For those of you who are dealing with W32.Sobig.E today and don't want to
block all mail with .zip attachments, the following DATA ACL seems to catch
the infected mail 100% of the time. At least for this variation of the worm.

deny    condition = ${if match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
        log_message = "Malformed Date header (double dash on TZ). Probably \
                       W32.Sobig.E. Date: $header_date:"
        message = This message has been refused because it looks \
                  like it is infected with the W32.Sobig.E worm. See\n\
                  http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html \
                  for details. If you feel this determination is in error, \
                  please forward the entire message to \
                  postmaster@??? and include code \"AV#1\" \
                  in the Subject


Tabor
--
--------------------------------------------------------------------
Tabor J. Wells                                     twells@???
Fsck It!                 Just another victim of the ambient morality