Re: [Exim] Blocking sobig.f

Top Page
Delete this message
Reply to this message
Author: Alun
Date:  
To: exim-users
Subject: Re: [Exim] Blocking sobig.f
--
Alan J. Flavell (a.flavell@???) said, in message
    <Pine.LNX.4.53.0308200015380.11161@???>:

>
> Even got one report in Welsh, ferchrissake.


That wouldn't be from Aber, would it? That's Uni policy - everything
has to be bilingual and the Welsh has to go first...

We send back reports about viruses except in those cases where we know that
the virus forges addresses. Yesterday I was a bit slow getting Sobig-F into
that config file (mainly because Sophos were slow getting an update out and
Aber got quite widespread infections in the meantime, so I was messing with
exim filters (if anyone wants to know, here's what I used to drop messages
and firewall the offending machine - actually, I also dropped it into a pipe
which firewalled off offending local hosts):

if $message_body contains "AAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS
BydW4gaW4g"
then
    logfile "/tmp/virus.log"
    logwrite "$tod_log blocked to $recipients from $sender_host_address"
    seen finish
endif


I'm a bit ambivalent about bounce messages for viruses and spam. It's a pain
when you get misdirected ones, but at the same time I feel very iffy about
just dropping messages on the floor with no attempt to inform the supposed
sender. If some important word document (for example) gets dropped silently
because of a virus and research funding goes elsewhere as a result, guess
who's door they'll bang on!

Something very close to that has happened here, though in that case we were
able to prove that the message had been delivered and downloaded by the
client's mail program - if we'd had to report that we'd silently dropped the
message in question I don't know what sort of ructions would have happened!

Cheers,
Alun.

--
Alun Jones                       auj@???
Systems Support,                 (01970) 62 2494
Information Services,
University of Wales, Aberystwyth



--
[ Content of type application/pgp-signature deleted ]
--