Re: [Exim] Blocking sobig.f

Top Page
This message is part of the following thread:
M+----+\the complete thread tree sorted by date
MM+-+\MMCory Daehn at <-
MMM\MMMMAlun at ->
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
Subject: Re: [Exim] Blocking sobig.f
Hi Alan, on Wed, 20 Aug 2003 00:25:22 +0100 (BST) you wrote:

> Now, what do we do about these hundreds of stupid 'you sent us a
> virus' non-delivery reports.

If you use SpamAssassin, you could kill them with some rules. I've been
building up the following list of rules over the past few months which
have not caused any false positives so far (but criticism welcome): 

header VIRUS_WARNING            Subject =~ /^\{Virus\?\}/
describe VIRUS_WARNING          Unhelpful 'virus warning'
score VIRUS_WARNING             50


header VIRUS_WARNING2           Subject =~ /Virus Detected by Network
Associates, Inc. Webshield/
describe VIRUS_WARNING2         Unhelpful NAI Webshield 'virus warning'
score VIRUS_WARNING2            100


header VIRUS_WARNING3           Subject =~ /^---- Virus Detected ----$/
describe VIRUS_WARNING3         Unhelpful Mail Marshal 'virus warning'
score VIRUS_WARNING3            100


header VIRUS_WARNING4           Subject =~ /^Virus detected$/
describe VIRUS_WARNING4         Unhelpful Tobit Software 'virus warning'
score VIRUS_WARNING4            100


header VIRUS_WARNING5           Subject =~ /^Virus Alert$/
describe VIRUS_WARNING5         Unhelpful 'virus warning'
score VIRUS_WARNING5            100


header VIRUS_WARNING6           Subject =~/^InterScan NT Alert$/
describe VIRUS_WARNING6         Unhelpful InterScan 'virus warning'
score VIRUS_WARNING6            100


header VIRUS_WARNING7           Subject =~/^Virus found in the message$/
describe VIRUS_WARNING7         Unhelpful 'virus warning'
score VIRUS_WARNING7            100


header VIRUS_WARNING8           Subject =~/^Message quarantined$/
describe VIRUS_WARNING8         Unhelpful 'virus warning'
score VIRUS_WARNING8            100


header VIRUS_WARNING9           Subject =~/^VIRUS ALERT!/
describe VIRUS_WARNING9         Unhelpful 'virus warning'
score VIRUS_WARNING9            100


header VIRUS_WARNING10          Subject =~/^Virus found in e-mail \(/
describe VIRUS_WARNING10        Unhelpful Netpilot VPN 'virus warning'
score VIRUS_WARNING10           100


header VIRUS_WARNING11          Subject =~/^MDaemon Warning - Virus Found/
describe VIRUS_WARNING11        Unhelpful MDaemon 'virus warning'
score VIRUS_WARNING11           100


header VIRUS_WARNING12          From =~/F-Secure Anti-Virus for Internet
Mail/
describe VIRUS_WARNING12        Unhelpful F-Secure 'virus warning'
score VIRUS_WARNING12           100



I only added these two rules yesterday; slightly concerned about it
catching system_filter discussions as they are quite broad: 

rawbody VIRUS_WARNING13         /If you meant to send this file then
please/
describe VIRUS_WARNING13        Unhelpful Exim system_filter 'virus
warning' (1)
score VIRUS_WARNING13           6


rawbody VIRUS_WARNING14         /package it up as a zip file and resend
it/
describe VIRUS_WARNING14        Unhelpful Exim system_filter 'virus
warning' (2)
score VIRUS_WARNING14           6




Tim


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] SMTP AUTH with MySQL, nearly workingRe: [Exim] .forward filter : strange defer (-17)->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)