Re: [Exim] Blocking sobig.f

On Wed, 20 Aug 2003, Tim Jackson wrote:

> Hi Alan, on Wed, 20 Aug 2003 00:25:22 +0100 (BST) you wrote:
>
> > Now, what do we do about these hundreds of stupid 'you sent us a
> > virus' non-delivery reports.
>
> If you use SpamAssassin, you could kill them with some rules.

Indeed, but the creators of these reporting messages seem to be
devilishly creative in varying the format (and the evelope-sender) of
the reports. That's setting aside the several who have simply changed
the .pif into .txt and sent a complete copy of the virus to the
innocent bystander whose address had been counterfeited, which I rate
as criminal behaviour. Those slip past our detection of dangerous
filename extensions, but get caught by the antivirus templates and
refused. But there will always be that gap in time between the virus
starting to arrive and the vendor's template update arriving, so this
isn't to be taken lightly.

> I've been building up the following list of rules over the past few
> months which have not caused any false positives so far (but
> criticism welcome):

I've put those in, thanks, and looking good, but still got others
slipping past. We got subjects of

VIRUS IN YOUR MAIL
VIRUS (W32/Sobig-F) IN YOUR MAIL
Antigen found VIRUS= W32/Sobig-F [...]

Then there's that all-time favourite, putting this spaced-out tag

V I R U S A L E R T

into the body of the mail. Makes it so much easier to match with a
regex, hmmm?

I'm thinking that any envelope-sender which begins "NAVMSE-" can be
killed on sight, ??