Hi,
here's a solution using regexes on the subject line as well as the
message content. For Frank's purpose you could modify the regex by
removing the ^ at the beginning of every match (this matches the
beginning of a string).
if ($message_body contains "A4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4ga") and
( $header_subject: matches "^[Rr]e: [Yy]our [Aa]pplication\\$"
or $header_subject: matches "^([Rr]e: )?([Rr]e:|[Rr]e: [Mm]y|[Yy]our) [Dd]etails\\$"
or $header_subject: matches "^([Rr]e: )?[Tt]hank [Yy]ou!\\$"
or $header_subject: matches "^[Rr]e: [Tt]hat [Mm]ovie\\$"
or $header_subject: matches "^[Rr]e: [Ww]icked [Ss]creensaver\\$"
or $header_subject: matches "^[Rr]e: [Aa]pproved\\$") then
logfile /var/log/exim4/mainlog
logwrite "$tod_log $message_id Sobig F worm detected in mail from host $sender_host_name[$sender_host_address]"
seen finish
endif
This could be vastly beautified if it was possible to use the
/i regex modifier for caseless matching, but I don't think you can do that in
the exim filters (please correct me if I'm wrong).
It also gives you a nicely greppable log entry which you can use to list
infected hosts.
Cheers,
Marc
Frank S. Bernhardt wrote:
> Actually, I use the "contains" rather than "is" on purpose. The PHP_INST
> mailing list got hit big time with this virus and was sending out emails
> with the subject line: "[PHP-INST] Re:...etc".
>
> But your point is a good one.
>
> Thanks.
>
>
> tsh@??? wrote:
>
>> We've been doing something similar with per-user filters,
>> but I would suggest replacing 'contains' with IS
>> since this might result in fewer accidentally rejected
>> messages.
>>
>> Cheers,
>> Terry.
>>
>>
>>
>>> I like this solution.
>>>
>>> It's simple and it certainly does work.
>>>
>>> Thank you.
>>>
>>> Michael J. Tubby B.Sc. (Hons) G8TIC wrote:
>>>
>>>> All,
>>>>
>>>> Here's how we are blocking sobig.f on our public mail machines:
>>>>
>>>>
>>>> a) create a file called /usr/exim/filter.sobig
>>>>
>>>> if $header_subject: contains "Re: Your Application"
>>>> or $header_subject: contains "Re: My Details"
>>>> or $header_subject: contains "Re: Details"
>>>> or $header_subject: contains "Your Details"
>>>> or $header_subject: contains "Re: That movie"
>>>> or $header_subject: contains "Re: Wicked screensaver"
>>>> or $header_subject: contains "Re: Details"
>>>> or $header_subject: contains "Re: Thank you!"
>>>> or $header_subject: contains "Thank you!"
>>>> or $header_subject: contains "Re: Approved"
>>>> then
>>>> seen finish
>>>> endif
>>>>
>>>>
>>>> b) configure exim to use it, in /usr/exim/configure:
>>>>
>>>> #
>>>> # filter for Sobig
>>>> #
>>>> system_filter = /usr/exim/filter.sobig
>>>>
>>>>
>>>>
>>>> Okay, its going to get some false positives (maybe) ...
>>>>
>>>>
>>>> Mike
>>>>
>>>> PS. Credit to Pete Bowyer who hacked this together early this
>>>> morning
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> ## List details at http://www.exim.org/mailman/listinfo/exim-users
>>>> Exim details at http://www.exim.org/ ##
>>>>
>>>>
>>>
>>> --
>>>
>>> Regards
>>>
>>> Frank S. Bernhardt
>>> b.c.s.i.
>>> 14 Halton Court
>>> Markham, ON. Canada
>>> L3P 6R3
>>>
>>> 905-471-1691 Voice
>>> 905-471-3016 FAX
>>>
>>> frank@???
>>>
>>> Registered Linux-User #312398 with the Linux Counter,
>>> http://counter.li.org.
>>>
>>>
>>> --
>>>
>>> ## List details at http://www.exim.org/mailman/listinfo/exim-users
>>> Exim details at http://www.exim.org/ ##
>>>
>>>
>>
>>
>>
>
> --
>
> Regards
>
> Frank S. Bernhardt
> b.c.s.i.
> 14 Halton Court
> Markham, ON. Canada
> L3P 6R3
>
> 905-471-1691 Voice
> 905-471-3016 FAX
>
> frank@???
>
> Registered Linux-User #312398 with the Linux Counter,
> http://counter.li.org.
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> Exim details at http://www.exim.org/ ##
>
