Hi,
same here.
One arrived with double-dash, 2 with +0100.
Probably block additionaly by attachment name "your_details.zip".
Regards
Wolfgang
Am Fre, 2003-06-27 um 08.33 schrieb Chad Leigh -- Shire.Net LLC:
> On Thursday, Jun 26, 2003, at 11:45 US/Mountain, Tabor J. Wells wrote:
>
> > For those of you who are dealing with W32.Sobig.E today and don't want
> > to
> > block all mail with .zip attachments, the following DATA ACL seems to
> > catch
> > the infected mail 100% of the time. At least for this variation of the
> > worm.
>
> After installing this this evening, I got one caught and one got
> through (date had a + TZ not --). Thanks! Anything that can help
> block this is much appreciated.
>
> Thanks
> Chad
>
>
> >
> > deny condition = ${if match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
> > log_message = "Malformed Date header (double dash on TZ).
> > Probably \
> > W32.Sobig.E. Date: $header_date:"
> > message = This message has been refused because it looks \
> > like it is infected with the W32.Sobig.E worm. See\n\
> >
> > http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html \
> > for details. If you feel this determination is in
> > error, \
> > please forward the entire message to \
> > postmaster@??? and include code \"AV#1\" \
> > in the Subject
> >
