Re: [Exim] DATA ACL to catch W32.Sobig.E

Top Page
Delete this message
Reply to this message
Author: Chad Leigh -- Shire.Net LLC
Date:  
To: Tabor J. Wells
CC: exim-users
Subject: Re: [Exim] DATA ACL to catch W32.Sobig.E
On Thursday, Jun 26, 2003, at 11:45 US/Mountain, Tabor J. Wells wrote:

> For those of you who are dealing with W32.Sobig.E today and don't want
> to
> block all mail with .zip attachments, the following DATA ACL seems to
> catch
> the infected mail 100% of the time. At least for this variation of the
> worm.


After installing this this evening, I got one caught and one got
through (date had a + TZ not --). Thanks! Anything that can help
block this is much appreciated.

Thanks
Chad


>
> deny    condition = ${if match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
>         log_message = "Malformed Date header (double dash on TZ).
> Probably \
>                        W32.Sobig.E. Date: $header_date:"
>         message = This message has been refused because it looks \
>                   like it is infected with the W32.Sobig.E worm. See\n\

>
> http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html \
>                   for details. If you feel this determination is in
> error, \
>                   please forward the entire message to \
>                   postmaster@??? and include code \"AV#1\" \
>                   in the Subject

>
> Tabor
> --
> --------------------------------------------------------------------
> Tabor J. Wells                                     twells@???
> Fsck It!                 Just another victim of the ambient morality

>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> Exim details at http://www.exim.org/ ##
>