All,
Here's how we are blocking sobig.f on our public mail machines:
a) create a file called /usr/exim/filter.sobig
if $header_subject: contains "Re: Your Application"
or $header_subject: contains "Re: My Details"
or $header_subject: contains "Re: Details"
or $header_subject: contains "Your Details"
or $header_subject: contains "Re: That movie"
or $header_subject: contains "Re: Wicked screensaver"
or $header_subject: contains "Re: Details"
or $header_subject: contains "Re: Thank you!"
or $header_subject: contains "Thank you!"
or $header_subject: contains "Re: Approved"
then
seen finish
endif
b) configure exim to use it, in /usr/exim/configure:
#
# filter for Sobig
#
system_filter = /usr/exim/filter.sobig
Okay, its going to get some false positives (maybe) ...
Mike
PS. Credit to Pete Bowyer who hacked this together early this
morning
