Re: [Exim] Blocking sobig.f

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M-\gARetH baBB at <-
M\MDavid Saez at ->
Delete this message
Reply to this message
Author: Dennis Davis
Date:  
To: Shane Wegner
CC: exim-users
Subject: Re: [Exim] Blocking sobig.f
>Date: Tue, 19 Aug 2003 13:05:57 -0700
>To: exim-users@???
>From: Shane Wegner <shane-dated-1063915557.0c0a51@???
>Subject: [Exim] Blocking sobig.f
>Sender: exim-users-admin@???
>
>Have any acls for exim4 been written to block the latest
>sobig.f virus released today. We've received over 300 of
>them and would like to block at smtp level if possible.

exim-4.22 + exiscan-acl-4.22-10 + a decent commercial anti-virus
package. We use sophos + the sophie daemon. If an anti-virus
package isn't available, serious consider blocking *all* email with
potentially harmful attachments. You can adapt the technique I
suggested in: 

From:     Dennis Davis <D.H.Davis@???>
To:       Gururajan Ramachandran <grr@???>
cc:       exim-users@???
Subject:  Re:  [Exim] Null Sender
Message-ID:  <200307111340.aa15489@???>
Date: Fri, 11 Jul 2003 13:40:05 +0100 (BST)


to do this. Blocking harmful attachments won't stop Word macro
viruses getting through. However you may be able to adapt:

http://www.lowth.com/protector/bin/view/Protector/

to only allow Word documents that contain no macros.

Yesterday we blocked nearly 6000 copies of this virus. So far today
we've seen more than 4600 copies. This is by far the most rampant
virus I've seen since we've been running virus detection on our mail
servers. So far we haven't seen an internal infection. I suspect
we've been lucky and that luck may change when people on holiday
return and start reading their email.

The question of false bounce messages has arisen elswhere in this
discussion. I have a lot of sympathy with Alan J. Flavell's ideas:

From: "Alan J. Flavell" <a.flavell@???>
To: Exim users list <exim-users@???>
Message-ID: <Pine.LNX.4.53.0308041341250.29863@???>
Subject: Re: [Exim] New mailhub/virus/spamassassin installation.
Date: Mon, 4 Aug 2003 13:51:05 +0100 (BST)

...

I'd say that, once a mail admin has been advised that a virus uses
counterfeited sender addresses, it could be rated an offence under UK
computer misuse legislation for the mail admin to continue to compose
and attempt to transmit a bounce to the victims. Especially if the
mail admin was including a copy of the offending content!


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] .forward filter : strange defer (-17)Re: [Exim] Blocking sobig.f->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)