Re: [Exim] Blocking phony MS Security update emails

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Jeff Lasman
CC: exim-users
Subject: Re: [Exim] Blocking phony MS Security update emails
> We're being hit by MS security update emails. They're not spam, but
> rather more accurately described as virii or worms.
>
> Does anyone has a good rule that will block these? I know we'll have to
> do it at "data" time, but I guess that's better than not blocking them
> at all.


I got so many of these (and server on dialup) that I block the users sending
after the first time they send one through.

Data acl:
deny    message = I don't want your ------- virus
    condition = ${if match{${lc:$h_from:}}{microsoft|message service|ms technical|security assistance|ms public|ms corporation|network delivery|ms net email|ms network|internet security|network security|technet|ms customer|inet service|security support|public assistance|ms net|program security|security center|ms security|network email|net mail|ms email|inet email|commercial client|public services|security section|technical assistance|customer assistance|" *" *<}{yes}{no}}
    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}


deny    message = I don't want your ------- virus
    condition = ${if match{${lc:$h_to:}}{mail receiver|mail client|ms corporation|internet user|inet user|commercial user|inet client|email user|mail user|inet recipient|client@|net user|network receiver|commercial consumer|internet recipient|@???|net client|network client|network user|internet receiver|< *>|commercial customer|commercial client|ms client}{yes}{no}}
    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}


accept


Remove the ${run condition if you don't want to block the virus senders.
It's slowed for me, but I get enough to keep this active and I see atleast 1
repeat each time. I will not remove users from this autogenerated
blacklist while the virus is still attempting tp spread.

--
Lab tests show that use of micro$oft causes cancer in lab animals