Author: Tim Jackson Date: To: exim-users Subject: Re: [Exim] Blocking sobig.f
Hi Alan, on Thu, 21 Aug 2003 12:47:56 +0100 (BST) you wrote:
> Tim Jackson wrote:
> > If you use SpamAssassin, you could kill them with some rules.
> Indeed, but the creators of these reporting messages seem to be
> devilishly creative in varying the format (and the evelope-sender) of
> the reports.
They certainly do. Like any kind of spam, we're never going to be able to
catch it all but I'm trying to address the low-hanging fruit of common
antivirus software where I can.
> That's setting aside the several who have simply changed
> the .pif into .txt and sent a complete copy of the virus to the
> innocent bystander whose address had been counterfeited, which I rate
> as criminal behaviour.
I don't think I've seen that but, as with Chris's mention yesterday of
virus scanners faking postmaster@victim addresses, that really does make
me want to wring the neck of some programmers. Really, if they think stuff
like that is OK, they have no business writing software that is
sold/intended to be part of an organisation's security.
> We got subjects of
> VIRUS IN YOUR MAIL
> VIRUS (W32/Sobig-F) IN YOUR MAIL
> Antigen found VIRUS= W32/Sobig-F [...]
Thanks, I've added those :) Maybe I should maintain this list on my
website...? Anyone else find it useful?
(Incidentally, it has been pointed out to me that some SA users may not
know what to do with these rules if they've never used custom rules before
- the answer, for those people, is to put it in your global SA config
file, which may for example be in /etc/mail/spamassassin/local.cf)
Kevin Reed also sent me this Subject:
Norton AntiVirus detected and quarantined a virus
> I'm thinking that any envelope-sender which begins "NAVMSE-" can be
> killed on sight, ??
Is that what the Norton AV for Sexchange sets its envelope sender to? I
have to say I've not been paying much/enough attention to patterns in the
envelope sender/From header.
