Re: [Exim] Blocking sobig 'I Blocked sobig' messages

Top Page
Delete this message
Reply to this message
Author: Russell King
Date:  
To: jvanasco
CC: exim-users
Subject: Re: [Exim] Blocking sobig 'I Blocked sobig' messages
On Wed, Aug 20, 2003 at 05:56:37PM -0400, jvanasco@??? wrote:
> So yes. We've discussed blocking sobig at length today.


And by blocking it you're adding to your threat #2. As I said earlier
today, you ideally want to blackhole these known virii so that you
yourself aren't contributing to the mass of inappropriate bounces.

exim 4.2x has a nice feature for this which can be used in the DATA
ACL - discard.

Eg, simplified example:

  discard condition     = ${if match {$header_subject:}{Re: Approved} {yes}{no}}
          log_message   = rejecting known virus ($header_subject:)


NB1. it would be nice if log_message replaced or supplemented the
     message logged in main.log.
NB2. I recommend increasing the security of the condition check to
     prevent false positives.


With that in place, I see the following in my logs:

2003-08-20 23:31:52 19pbUe-0001XX-Mz <= xxxxxxxx@???
H=xxxxxxx.gotadsl.co.uk (FEARLESSJUDY) [xxx.xxx.xxx.xxx] P=esmtp S=915
2003-08-20 23:31:52 19pbUe-0001XX-Mz => blackhole (DATA ACL discarded
recipients)

In all likely event, the guy at hotmail didn't send the message from
gotadsl.co.uk, so causing a bounce message to be sent to hotmail just
adds to the overall problem.

--
Russell King (rmk@???)                The developer of ARM Linux
             http://www.arm.linux.org.uk/personal/aboutme.html