Re: [Exim] Blocking phony MS Security update emails

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Marc Perkel
CC: Jeff Lasman, exim-users
Subject: Re: [Exim] Blocking phony MS Security update emails
> What I do is install exiscan and I just block all executable files. Thus
> - all viruses go away.


Simple for me. No windows, no problem =) I just did that hack to stop them
wasting my bandwidth. I see no real reason to use exiscan.

> >>We're being hit by MS security update emails. They're not spam, but
> >>rather more accurately described as virii or worms.
> >>
> >>Does anyone has a good rule that will block these? I know we'll have to
> >>do it at "data" time, but I guess that's better than not blocking them
> >>at all.
> >>
> >>
> >
> >I got so many of these (and server on dialup) that I block the users sending
> >after the first time they send one through.
> >
> >Data acl:
> >deny    message = I don't want your ------- virus
> >    condition = ${if match{${lc:$h_from:}}{microsoft|message service|ms technical|security assistance|ms public|ms corporation|network delivery|ms net email|ms network|internet security|network security|technet|ms customer|inet service|security support|public assistance|ms net|program security|security center|ms security|network email|net mail|ms email|inet email|commercial client|public services|security section|technical assistance|customer assistance|" *" *<}{yes}{no}}
> >    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}

> >
> >deny    message = I don't want your ------- virus
> >    condition = ${if match{${lc:$h_to:}}{mail receiver|mail client|ms corporation|internet user|inet user|commercial user|inet client|email user|mail user|inet recipient|client@|net user|network receiver|commercial consumer|internet recipient|@???|net client|network client|network user|internet receiver|< *>|commercial customer|commercial client|ms client}{yes}{no}}
> >    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}

> >
> >accept
> >
> >
> >Remove the ${run condition if you don't want to block the virus senders.
> >It's slowed for me, but I get enough to keep this active and I see atleast 1
> >repeat each time. I will not remove users from this autogenerated
> >blacklist while the virus is still attempting tp spread.
> >
> >--
> > Lab tests show that use of micro$oft causes cancer in lab animals
> >
> >--
> >
> >## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
> >
> >
> >
> >

--
Lab tests show that use of micro$oft causes cancer in lab animals