Re: [Exim] needed: beagle/bagle pattern

Top Page
Delete this message
Reply to this message
Author: Fred Viles
Date:  
To: Exim User's Mailing List
Subject: Re: [Exim] needed: beagle/bagle pattern
On 20 Jan 2004 at 13:45, Greg A. Woods wrote about
    "Re: [Exim] needed: beagle/bagle pat":


|...
| If I'm not mistaken the very same regular expression that detects mail
| bodies with sobig and many other viruses and worms will also detect this
| new worm:

|
|     "^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"


Your post prompted me to try this in a redirect router, since it
sounded trivial (no need for the exiscan patch). I must be missing
something obvious, since I can't get it to work. I added this router
definition above the normal alias and local delivery routers:

check_exe:
  driver    = redirect
  no_verify
  data        = ${if match { $message_body } \
        { "TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA" } \
        {exe} fail }


I left off the ^ since in $message_body newlines have been converted
to spaces. message_body_visible is set to 2000, which is more than
enough to include the first few lines of the attachment in the test
message I tried. pcretest says the pattern matches the text
cut&pasted from the message (with newlines converted to spaces).

But the router doesn't handle the message. I feel stupid, what am I
missing?

- Fred