Re: [Exim] Blocking sobig.f

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Shane Wegner
CC: exim-users
Subject: Re: [Exim] Blocking sobig.f
> Have any acls for exim4 been written to block the latest
> sobig.f virus released today. We've received over 300 of
> them and would like to block at smtp level if possible.


I've noticed lots of them EHLO as "ED". You could check to see if there's a
dot in the HELO name (pretty much all legit mail EHLOs as a FQDN or is that
FQHN =)

drop    message = We do not accept mail of this kind
    condition = ${if match{$sender_helo_name}{ED}{yes}{no}}


You can put this anywhere(almost), I prefer (since this isn't a real MTA and
doesn't attempt to deliver again) to put this in the helo acl. Putting it
in the data acl will simply waste your bandwidth =)

I assume most people prefer to put this in the rcpt acl (but replacing drop
with deny)

--
Lab tests show that use of micro$oft causes cancer in lab animals