Re: [Exim] Blocking sobig.f

Pàgina inicial
Delete this message
Reply to this message
Autor: Wakko Warner
Data:  
A: Chris Edwards
CC: exim-users
Assumpte: Re: [Exim] Blocking sobig.f
Chris Edwards wrote:
> | > > drop    message = We do not accept mail of this kind
> | > >     condition = ${if match{$sender_helo_name}{ED}{yes}{no}}

>
> As I'm sure is clear, this is simply one infected PC that HELOs as `ED'.
> Its probably the windoze hostname or similar. You might as well block its IP.


Here's the list of HELOs I've seen (out of about 160 virus mails):
ED
L-308
BOBS
RNPC47
YOUR-US67PI6LUV
LR
SE-VASQUEZ

It's kept the payload down.

> | condition = ${if match{$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}
>
> Good stuff.


Thanks =)

> Sadly we have quite a lot of PCs on campus that HELO this way.


I use this on my personal server. I can't at work because it can block
enough legit to not be useful.

> But blocking external mails looks like a go-er.


Definately =)

> | basically this says "Must contain a dot but the first and last character may
> | not be a dot". From expereince, this will stop all sobig.f mails.
>
> Unless they've been relayed by some MTA
>
> ( where you get that MTA's HELO string )


True, but if the virus has it's own MTA and doesn't helo with a FDQN, It'll
get caught. Spammers do this sometimes too. My backup MX also does the
same acl checks that my primary does.

--
Lab tests show that use of micro$oft causes cancer in lab animals