Re: [Exim] DATA ACL to catch W32.Sobig.E

Página Inicial
Delete this message
Reply to this message
Autor: Tabor J. Wells
Data:  
Para: Wolfgang Lumpp
CC: exim-users
Assunto: Re: [Exim] DATA ACL to catch W32.Sobig.E
On Fri, Jun 27, 2003 at 09:00:39AM +0200,
Wolfgang Lumpp <wol@???> is thought to have said:

> same here.
> One arrived with double-dash, 2 with +0100.
> Probably block additionaly by attachment name "your_details.zip".


Odd. I've been blocking a few hundred of these a day and haven't seen a + in
a TZ yet. I ran the ACL with exiscan blocking files with a .zip extension
combined for several hours and none slipped past the DATA ACL to be blocked
by exiscan. Oh well. Perhaps a server in the middle is rewriting the invalid
Date: header or something.

And FWIW you need to block more than just that one file name. There are 5 or
6 I believe. Check your favorite AV site for details.

In any case this DATA ACL seems to have no false positives. It's caught a
few other infected messages as well (with .pif and .exe attachments --
perhaps a previous variation of Sobig)

Tabor

--
--------------------------------------------------------------------
Tabor J. Wells                                     twells@???
Fsck It!                 Just another victim of the ambient morality