Re: [Exim] DATA ACL to catch W32.Sobig.E

Top Page
Delete this message
Reply to this message
Author: Wolfgang Lumpp
Date:  
To: exim-users
Subject: Re: [Exim] DATA ACL to catch W32.Sobig.E
Hi,

same here.
One arrived with double-dash, 2 with +0100.
Probably block additionaly by attachment name "your_details.zip".

Regards
Wolfgang

Am Fre, 2003-06-27 um 08.33 schrieb Chad Leigh -- Shire.Net LLC:
> On Thursday, Jun 26, 2003, at 11:45 US/Mountain, Tabor J. Wells wrote:
>
> > For those of you who are dealing with W32.Sobig.E today and don't want
> > to
> > block all mail with .zip attachments, the following DATA ACL seems to
> > catch
> > the infected mail 100% of the time. At least for this variation of the
> > worm.
>
> After installing this this evening, I got one caught and one got
> through (date had a + TZ not --). Thanks! Anything that can help
> block this is much appreciated.
>
> Thanks
> Chad
>
>
> >
> > deny    condition = ${if match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
> >         log_message = "Malformed Date header (double dash on TZ).
> > Probably \
> >                        W32.Sobig.E. Date: $header_date:"
> >         message = This message has been refused because it looks \
> >                   like it is infected with the W32.Sobig.E worm. See\n\

> >
> > http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html \
> >                   for details. If you feel this determination is in
> > error, \
> >                   please forward the entire message to \
> >                   postmaster@??? and include code \"AV#1\" \
> >                   in the Subject

> >