Re: [Exim] Blocking phony MS Security update emails

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: Wakko Warner
CC: Jeff Lasman, exim-users
Subject: Re: [Exim] Blocking phony MS Security update emails
This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
What I do is install exiscan and I just block all executable files. Thus
- all viruses go away.

Wakko Warner wrote:

>>We're being hit by MS security update emails. They're not spam, but
>>rather more accurately described as virii or worms.
>>
>>Does anyone has a good rule that will block these? I know we'll have to
>>do it at "data" time, but I guess that's better than not blocking them
>>at all.
>>
>>
>
>I got so many of these (and server on dialup) that I block the users sending
>after the first time they send one through.
>
>Data acl:
>deny    message = I don't want your ------- virus
>    condition = ${if match{${lc:$h_from:}}{microsoft|message service|ms technical|security assistance|ms public|ms corporation|network delivery|ms net email|ms network|internet security|network security|technet|ms customer|inet service|security support|public assistance|ms net|program security|security center|ms security|network email|net mail|ms email|inet email|commercial client|public services|security section|technical assistance|customer assistance|" *" *<}{yes}{no}}
>    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}

>
>deny    message = I don't want your ------- virus
>    condition = ${if match{${lc:$h_to:}}{mail receiver|mail client|ms corporation|internet user|inet user|commercial user|inet client|email user|mail user|inet recipient|client@|net user|network receiver|commercial consumer|internet recipient|@???|net client|network client|network user|internet receiver|< *>|commercial customer|commercial client|ms client}{yes}{no}}
>    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}

>
>accept
>
>
>Remove the ${run condition if you don't want to block the virus senders.
>It's slowed for me, but I get enough to keep this active and I see atleast 1
>repeat each time. I will not remove users from this autogenerated
>blacklist while the virus is still attempting tp spread.
>
>--
> Lab tests show that use of micro$oft causes cancer in lab animals
>
>--
>
>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
>
>

--