RE: [Exim] Yet Another Filter to block SoBig.F

Top Pagina
Delete this message
Reply to this message
Auteur: Kevin Reed
Datum:  
Aan: 'Avleen Vig', exim-users
Onderwerp: RE: [Exim] Yet Another Filter to block SoBig.F
Avleen Vig
> # Exim filter
>
> if $header_X-MailScanner matches "Found to be clean"
> then
>     if $header_Content-type matches "(multipart/mixed)" and
> $header_X-Mailer matches "Microsoft Outlook Express 6.00.2600.0000"
>     and $message_body matches
> "name(:|=)\"(your_document.pif|document_all.pif|thank_you.pif|
> your_details.pif|details.pif|document_9446.pif|application.pif
> |wicked_scr.scr|movie0045.pif)\""
>     then
>         seen finish
>     endif
> endif


Wouldn't it just be easier to do...

  discard log_message = "DISCARD: Message contained ($found_extension)."
          demime = scr:pif


Of course the log_message doesn't actually log that.. (I'm still trying to
figure out how to do that),
But basically ANY mail with a *.pif or *.scr is simply dropped on the floor.


I can't think of any legit reason for allowing those.

This matches anyfilename.pif and anyfilename.scr

No filter necessary.