> We're being hit by MS security update emails. They're not spam, but
> rather more accurately described as virii or worms.
>
> Does anyone has a good rule that will block these? I know we'll have to
> do it at "data" time, but I guess that's better than not blocking them
> at all.
I got so many of these (and server on dialup) that I block the users sending
after the first time they send one through.
Data acl:
deny message = I don't want your ------- virus
condition = ${if match{${lc:$h_from:}}{microsoft|message service|ms technical|security assistance|ms public|ms corporation|network delivery|ms net email|ms network|internet security|network security|technet|ms customer|inet service|security support|public assistance|ms net|program security|security center|ms security|network email|net mail|ms email|inet email|commercial client|public services|security section|technical assistance|customer assistance|" *" *<}{yes}{no}}
condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}
deny message = I don't want your ------- virus
condition = ${if match{${lc:$h_to:}}{mail receiver|mail client|ms corporation|internet user|inet user|commercial user|inet client|email user|mail user|inet recipient|client@|net user|network receiver|commercial consumer|internet recipient|@???|net client|network client|network user|internet receiver|< *>|commercial customer|commercial client|ms client}{yes}{no}}
condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}
accept
Remove the ${run condition if you don't want to block the virus senders.
It's slowed for me, but I get enough to keep this active and I see atleast 1
repeat each time. I will not remove users from this autogenerated
blacklist while the virus is still attempting tp spread.
--
Lab tests show that use of micro$oft causes cancer in lab animals
