On Thursday, Jun 26, 2003, at 11:45 US/Mountain, Tabor J. Wells wrote:
> For those of you who are dealing with W32.Sobig.E today and don't want
> to
> block all mail with .zip attachments, the following DATA ACL seems to
> catch
> the infected mail 100% of the time. At least for this variation of the
> worm.
After installing this this evening, I got one caught and one got
through (date had a + TZ not --). Thanks! Anything that can help
block this is much appreciated.
Thanks
Chad
>
> deny condition = ${if match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
> log_message = "Malformed Date header (double dash on TZ).
> Probably \
> W32.Sobig.E. Date: $header_date:"
> message = This message has been refused because it looks \
> like it is infected with the W32.Sobig.E worm. See\n\
>
> http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html \
> for details. If you feel this determination is in
> error, \
> please forward the entire message to \
> postmaster@??? and include code \"AV#1\" \
> in the Subject
>
> Tabor
> --
> --------------------------------------------------------------------
> Tabor J. Wells twells@???
> Fsck It! Just another victim of the ambient morality
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> Exim details at http://www.exim.org/ ##
>
