Re: [Exim] Blocking sobig.f

Top Page
Delete this message
Reply to this message
Author: Jerry Bell
Date:  
To: exim-users
Subject: Re: [Exim] Blocking sobig.f
<snip>
>
> I use this on my personal server. I can't at work because it can block
> enough legit to not be useful.


Another way I've found to very effectively block most all recent viruses
is by blocking 'bad' attachments:

deny  message = contains $found_extension file (blacklisted).
     demime =
ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh:ADE:ADP:BAS:BAT:CHM:CMD:COM:CPL:CRT:EXE:HLP:HTA:INF:INS:ISP:JS:JSE:LNK:MDB:MDE:MSC:MSI:MSP:MST:PCD:PIF:REG:SCR:SCT:SHS:SHB:URL:VB:VBE:VBS:WSC:WSF:WSH


This has worked well for me. I've heard much talk about this not always
working and one reason I've found is that the demime acl is case
sensitive. I don't have all permutations here, but upper and lower seem
to catch most all of them.

Regards,

Jerry
http://www.syslog.org