Re: [Exim] Blocking sobig.f

Página Inicial
Delete this message
Reply to this message
Autor: Chris Edwards
Data:  
Para: exim-users
Assunto: Re: [Exim] Blocking sobig.f
| > > drop    message = We do not accept mail of this kind
| > >     condition = ${if match{$sender_helo_name}{ED}{yes}{no}}


As I'm sure is clear, this is simply one infected PC that HELOs as `ED'.
Its probably the windoze hostname or similar. You might as well block its IP.



| condition = ${if match{$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}


Good stuff.

Sadly we have quite a lot of PCs on campus that HELO this way.

But blocking external mails looks like a go-er.


| basically this says "Must contain a dot but the first and last character may
| not be a dot". From expereince, this will stop all sobig.f mails.


Unless they've been relayed by some MTA

( where you get that MTA's HELO string )



--
Chris Edwards, Glasgow University Computing Service