RE: [Exim] Blocking sobig.f

Pàgina inicial
Delete this message
Reply to this message
Autor: Kevin Reed
Data:  
A: 'Smith, A.D.', exim-users
Assumpte: RE: [Exim] Blocking sobig.f
Smith, A.D.
> I have tried this, but some are still getting through ...
> I use exim 4.20 on Solaris 9 with the latest exiscan acl
> 4.20.x patch Unfortunately .pif attachments have been getting
> past exiscan acl and the system_filter. Could this be because
> I'm using the Solaris version of Perl? Should I get the
> latest one from CPAN?
>
> Any help or ideas would be great ;),


I have a Solaris 9 version using Exim-4.22 and exiscan-ACL as well.
I have not yet had a single PIF file get through.

My perl is 5.80.

99% of them are being caught as just plain invalid hostnames without reverse
DNS.

Your list of blacklisted extentions is quite larger than mine though...

  deny  message = This message contains an unwanted file extension
($found_extension)
        demime = bat:bas:chm:cmd:com:eml:lnk:exe:hlp:inf:pif:scr:vbs:vbe


But I am also using ClamAV..

  deny  message = VIRUS REJECT: This message was found to contain malware
($malware_name)
        demime = *
        malware = *


The few that got that far were snagged by CLAMAV. I don't recall anything
getting past that, but it is possible the system_filter might be catching
some too.

What I have had get though were a lot of virus warning messages which I just
started tagging in Spam Assassin.

>
> Alex
>
>>Jerry Bell


> Another way I've found to very effectively block most all
> recent viruses is by blocking 'bad' attachments:
>
> deny  message = contains $found_extension file (blacklisted).
>      demime =
> ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:inf:ins:isp:js:j
> se:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:reg:scr:sct:shs:shb:url:v
> b:vbe:vbs:wsc:wsf:wsh:ADE:ADP:BAS:BAT:CHM:CMD:COM:CPL:CRT:EXE:HL
> P:HTA:INF:INS:ISP:JS:JSE:LNK:MDB:MDE:MSC:MSI:MSP:MST:PCD:PIF:REG
> :SCR:SCT:SHS:SHB:URL:VB:VBE:VBS:WSC:WSF:WSH