For those of you who are dealing with W32.Sobig.E today and don't want to
block all mail with .zip attachments, the following DATA ACL seems to catch
the infected mail 100% of the time. At least for this variation of the worm.
deny condition = ${if match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
log_message = "Malformed Date header (double dash on TZ). Probably \
W32.Sobig.E. Date: $header_date:"
message = This message has been refused because it looks \
like it is infected with the W32.Sobig.E worm. See\n\
http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html \
for details. If you feel this determination is in error, \
please forward the entire message to \
postmaster@??? and include code \"AV#1\" \
in the Subject
Tabor
--
--------------------------------------------------------------------
Tabor J. Wells twells@???
Fsck It! Just another victim of the ambient morality
