I have the following in my exim.conf
acl_smtp_rcpt = acl_check_rcpt
begin acl
acl_check_rcpt:
accept hosts = :
Etc...
Do I put it after the accept host = :?
-----Original Message-----
From: Kevin Reed [
mailto:krelvinaz@cox.net]
Sent: Wednesday, September 03, 2003 10:58 PM
To: 'Rossz Vamos-Wentworth'; exim-users@???
Subject: RE: [Exim] Bombarded by pif attachments
Rossz Vamos-Wentworth
> > I've been doing a double dash TZ zone date check first
> > and discarding there.
>
> I must have missed something along the way. WTF is a "double dash TZ
> zone date check"?
A simple check for the Sobig virus (and others).
# This checks for defective TZ date header - Common Virus Header
# Lets log this to the logs
warn log_message = DISCARD: MALFORMED DATE HEADER (double Dash on
TZ)
condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
# Now discard it so it doesn't bounce back as a virus sent by our
user.
discard condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}
Classic example (This had a application . pif attachment)
> From: <user@???>
> To: <user@???>
> Subject: Re: Your application
> Date: Wed, 3 Sep 2003 21:15:45 --0500
> X-MailScanner: Found to be clean
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0
Three common threads...
1) TZ has double dash in it.
2) X-MailScanner: Found to be clean
3) X-Mailer: Microsoft Outlook Express 6.00.2600.0000
However... The double dash TZ is easy to spot.
--
## List details at
http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##