Re: [Exim] DATA ACL to catch W32.Sobig.E

On Fri, 27 Jun 2003, Chad Leigh -- Shire.Net LLC wrote:

> After installing this this evening, I got one caught and one got
> through (date had a + TZ not --). Thanks! Anything that can help
> block this is much appreciated.

We're blocking it on a characteristic string in the virus's
Content-type header. I shan't reproduce it in its entirety here,
because I set up a block to catch bogus reports coming in from idiots
who want to accuse our innocent users (i.e those whose addresses have
been counterfeited as senders) of being the cause of the problem.
And that block would block this outgoing mail if I included the
complete tag! But it begins "CSmtpMsgPart123".

Apropos such bogus complaints (of which we caught about a dozen
yesterday, and there are yet more coming in), we caught one accusation
which apparently came from an end user at the remote site. When I
complained to her about this false accusation of one of our users, she
was astonished: apparently their local mail admin has arranged to
catch incoming viruses, and counterfeit the address of the intended
victim on an automatically composed complaint that is sent to the
counterfeited address that was found in the incoming envelope-sender
(if you see what I mean). Sheesh.