Rossz Vamos-Wentworth
> > I've been doing a double dash TZ zone date check first
> > and discarding there.
>
> I must have missed something along the way. WTF is a "double
> dash TZ zone date check"?
A simple check for the Sobig virus (and others).
# This checks for defective TZ date header - Common Virus Header
# Lets log this to the logs
warn log_message = DISCARD: MALFORMED DATE HEADER (double Dash on
TZ)
condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
# Now discard it so it doesn't bounce back as a virus sent by our
user.
discard condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
Classic example (This had a application . pif attachment)
> From: <user@???>
> To: <user@???>
> Subject: Re: Your application
> Date: Wed, 3 Sep 2003 21:15:45 --0500
> X-MailScanner: Found to be clean
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0
Three common threads...
1) TZ has double dash in it.
2) X-MailScanner: Found to be clean
3) X-Mailer: Microsoft Outlook Express 6.00.2600.0000
However... The double dash TZ is easy to spot.